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Abstract 



The problem of integrating knowledge from multiple and heterogeneous sources is a fundamental 
issue in current information systems. In order to cope with this problem, the concept of mediator 
has been introduced as a software component providing intermediate services, linking data resources 
and application programs, and making transparent the heterogeneity of the underlying systems. In 
designing a mediator architecture, we believe that an important aspect is the definition of a formal 
framework by which one is able to model integration according to a declarative style. To this pur- 
pose, the use of a logical approach seems very promising. Another important aspect is the ability 
to model both static integration aspects, concerning query execution, and dynamic ones, concerning 
data updates and their propagation among the various data sources. Unfortunately, as far as we know, 
no formal proposals for logically modeling mediator architectures both from a static and dynamic 
point of view have already bee n developed. In this pa per, we extend the framework for amalgamated 
knowledge bases, presented in ( Subrahmanian, 1994 1 , to deal with dynami c aspects. The language we 
propose is based on the Active U-Datalog lan guage ([Bertino et al, 19981), an d extends it with anno- 
tated logic and amalgamation concepts from (Kifer and Subrahmanian, 1992; Subrahmanian, 1987). 



We model the sources of information and the mediator (also called supervisor) as Active U-Datalog 
deductive databases, thus modeling queri es, transactions, and active rules, interpreted according to 
the PARK semantics (Gottlob et al, 1996). By using active rules, the system can efficiently perform 



update propagation among different databases. The result is a logical environment, integrating ac- 
tive and deductive rules, to perform queries and update propagation in an heterogeneous mediated 
framework. 



2 



E. Bertino, B. Catania, and P. Perlasca 



1 Introduction 



The problem of integrating knowledge from multiple and heterogeneous sources is a cru- 
cial issue in current information system technology. Very often the knowledge required 
to perform a certain task is factored in several heterogeneous systems and specific tools 
are needed in order to acquire, store, manage, query and update data and knowledge in an 
integrated way. 

The development of an integrated information system entails addressing different prob- 
lems, ranging from the differences in hardware/software platforms, to heterogeneity in 
the database management systems (DBMS), to semantic data heterogeneity, to operational 
issues such as update propagation and consistency maintenance for related information. 
Solutions to the se problems are provided by efforts in different areas (Bukhres and El- 
magarmid, 1996; |Schek et a/., 1993|; [Elmagarmid, 1993|; |Ceri and Widom, 1993|; D o and 
Drew, 1995; [Gupta efg/., 1993| ; [Chawathe ef a/., 1996| ; |Subrahmanian, 1994 - 

In order to cope with the management of heterogeneous systems, the concept of me- 



diator has been introduced ( Wiederhold, 1992). A mediator can be defined as a software 



system component providing intermediate services, linking data resources and application 
programs. In the context of heterogeneous knowledge bases, mediators provide users with 
an integrated view of multiple sources, making transparent the underlying data heterogene- 
ity. The central problem in mediation is the identification of relevant resources for the client 
model and the retrieval of relevant data at the time of a client inquiry. This goal is achieved 
by three main functions: selection of data, translation of the user query into queries suit- 
able for the underlying sources, merging of the resulting data by removing redundancy and 
inconsistency. Through this entire process, the user should not be aware of the underlying 
heterogeneity. 

In designing a mediator architecture, we believe that an important aspect is the definition 
of a formal framework by which it is possible to model integration among heterogeneous 
systems according to a declarative style. Such a framework may be quite useful in under- 
standing how and when information has to be integrated together. In general, this is a very 
difficult task, especially when the number of involved systems is large. This consideration 
calls for a declarative approach allowing one to fully model all aspects of integration and to 
provide the basis by which properties of heterogeneous information systems can be proved. 
To this purpose, the use of a logical approach seems very promising. 



Among the logical approaches that have been proposed ( Bowen and kowalski, 1982 



^agin et a/., 1983|; [Pagin et a/., 1986| [Grant et a/., 199 1|; ^brahmanian, 1989|; S ubrah 



manian, 1994; [Whang et al., 1991 ; Zicari et ai, 1991 ), the amalgamated knowledge base 
framework proposed by Subrahamanian (Subrahmanian, 1994) is one of the few proposals 
providing a formal logical foundation to cooperative knowledge bases. It also represents 



the formal basis of the HERMES system (Subrahmanian et al., 1996). In this framework, 
generahzed annotated logic (Kifer and Subrahmanian, 1992; Subrahmanian, 1987 ) is used 
to model data sources and the notion of supervisor is introduced as a mediator, amalgamat- 
ing the knowledge coming from the local databases. The use of annotated logic provides 
the right formalism for modeling knowledge at different degrees of inconsistencies and 
uncertainties, typical of an heterogeneous environment. A model theoretic and a fixpoint 
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semantics for the proposed framework have also been proposed, thus leading to the defini- 
tion of a fully declarative approach for modeling amalgamated knowledge bases. 

Even if the amalgamated knowledge based framework is quite appealing, it lacks the 
modeling of dynamic aspects. In particular, both the local databases and the supervisor 
have no dynamic behavior This is a strong limitation since it means that the system is not 
able to react to events. Indeed, we believe that, in order to provide most of the functionali- 
ties required to support heterogeneous knowledge bases, mediators should implement two 
different types of integration: 



• Static integration. With static integration we mean the ability to model heteroge- 
neous sources of data, intended as different databases storing (possibly related) data 
and intensional knowledge on data, and the ability to integrate several data manage- 
ment systems to collectively provide information to answer user queries. 

• Dynamic integration. With dynamic integration we mean the ability to update data 
and to propagate updates among the various data sources. 

Here, the main issue concerns how knowledge can be modified in an integrated way, 
introducing new information inside the local databases through the use of the medi- 
ator, and, at the same time, how consistency of the knowledge bases can be guaran- 
teed. These aspects can be supported through the use of active rules. 



In this paper we extend the amalgamated knowledge base framework presented in (Sub- 
rahmanian, 1994) to deal with logical languages modeling updates and active rules. The 
language we propose is based on the Active U-Datalog language (Bertino et ai, 1998) and 
extends it with annotated logic and amalgamation concepts taken from (Kifer and Sub- 
rahmanian, 1992; Subrahmanian, 1987[ ). The result is a logical framework modeling both 
static and dynamic aspects in integrating knowledge from multiple heterogeneous sources. 
Dynamic integration is then provided through updates and active rules, both at the local 
and global level. 

The Active U-Datalog language is a language for integrating active rules, deductive rules 
and updates in a uniform logical context; it is based on Update Datalog (U-Datalog for 
short) (Bertino et ai, 1997) and extends it with support for active rules, in the style of the 
PARK semantics ( jottlob et ai, 1996). In Active U-Datalog, update atoms appear in rule 
bodies; the execution of a goal (also called a transaction) is based on a deferred semantics, 
by which several updates are generated from predicate evaluation, but not immediately 
executed; rather, they are collected and are executed only at the end of the query-answering 
process. In Active U-Datalog, updates are expressed by using constraints. For example, 
+p{a) states that in the new state p{a) must be true whereas -~p{a) states that in the new 
state p{a) must be false. Each atomic solution generates a set of updates. 

Active rules allow several dynamic aspects to be represented, such as transaction ex- 
ecution, reactive behavior and, more specifically, update propagation, in a uniform logi- 
cal framework. The semantics proposed for active rules is based on the PARK semantics 
(Gottlob et ai, 1996). The PARK semantics has been designed with the intent of overcom- 
ing the limitations of previously defined semantics for active rules. In particular, given a 
set of ECA (Event-Condition-Action) rules, that is rules of the form "ON event IF con- 
dition THEN action", the PARK semantics satisfies several properties. First of all, it is 
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non-ambiguous, that is, it always guarantees execution confluence. Moreover, it is flexible 
with respect to conflict resolution. 

A conflict is a situation where two or more active rules can be fired and one of these 
rules requires the insertion of an atom a in the database, whereas at least one of the others 
requires the deletion of a from the database. A conflict resolution policy is a method to de- 
termine which actions should be executed in presence of a conflict and which others should 
be suppressed. Under the PARK semantics, the conflict resolution policy can be chosen 
according to specific application requirements. For example, the policy can specify that 
insertions must always prevail upon deletions. A fixpoint semantics is used to determine 
the result of the application of a set of active rules. The proposed semantics guarantees the 
termination of the evaluation process. The use of the PARK semantics allows the system 
to handle updates generated by deductive rules and updates generated by active rules in a 
uniform way. It is important to note that, in the context of the paper, the term consistency 
refers to a situation in which conflicts are avoided and it is therefore different from the 
general concept of consistency used in the context of integrity constraint checking. 

The logical framework we introduce in this paper relies on the Active U-Datalog logical 
language to model both the local knowledge bases and the mediator. More precisely, we 
introduce the concept of Amalgamated Active-U-Datalog knowledge base as a knowledge 
base supporting the following features: 

1. Multiple sources of data (local databases). We model each deductive database as 
an Active U-Datalog database, extended with annotated logic concepts. Thus, each 
local database consists of an extensional database (i.e., a set of facts), an intensional 
database represented by a set of deductive Active U-Datalog rules, and a set of active 
Active U-Datalog rules. Atoms in deductive and active rules are annotated with val- 
ues taken from a given complete lattice of truth values. The use of Active U-Datalog 
provides the ability to model, not only queries, but also updates inside each database. 
Moreover, active rules allow the local databases to react to external events (in our 
context, represented by updates). The resulting language can be thought as an inter- 
face language by which local source knowledge is represented, for example through 
a wrapper-based approach, before integration. 

2. Integration of local databases. Local databases can be integrated through a super- 



visor. As defined in ( Subrahmanian, 1994), a supervisor specifies a set of rules by 



which the local knowledge can be integrated. The local databases, the supervisor 
and a set of axioms required to gather information from different databases form 



the amalgam. Differently from what has been presented in ( Subrahmanian, 1994 ), in 
our framework the supervisor, which is an Amalgamated Active U-Datalog program, 
can execute updates against local databases and support active rules. Such rules can 
propagate updates depending on the whole status of the integrated system. 

For both aspects, a fixpoint semantics is proposed, integrating those presented in (Sub- 
rahmanian, 1994) and in ( Bertino et al., 1998| ). 



We recall that other approaches have been proposed for update propagation in the con- 
text of h eterogeneous databases (|Ceri and Widom, 1993 ; Do and Drew, 1995; Gupta et 



ah, 1993). However, most of the proposed approaches suggest how to use active rules to 
perform specific tasks, such as schema integration and integrity constraint checking. On 
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the contrary, in the proposed framework, active rules are introduced at a general level. 
Moreover, the use of the PARK semantics provides a clear integration of active and de- 
ductive rules and makes the approach much more flexible with respect to the problem of 
conflict resolution. Indeed, differently from other proposals, where conflicts are solved by 
assig ning priority to rules ([Hanson, 1996 ; Stonebrakeref a/., 1990|; W idom and Finkelstein, 
1990), the PARK semantics allows the application programmer to choose the best conflict 
resolution policy to apply in a particular case. In solving a conflict, information about the 
structure and the current state of the system can be considered. This is particularly impor- 
tant in an integration framework, where update propagation often depends on information 
distributed among various databases. 

The paper is organized as follows. In Subsection |l.l| we compare our approach with sev- 
eral existing approaches for mediating heterogeneous sources. The syntax of the proposed 
framework is presented in Section |[ In Sections ||, ^ and || we then introduce the seman- 
tics of Amalgamated Active U-Datalog, together with several examples of its application. 
Finally, Section || presents some conclusions and outlines future work. 



1.1 Related Work 



When dealing with the integration of heterogeneous information sources, two important 
issues concern semantic interoperability, intended as the capability of representing local 
data, defined according to a local data model, in terms of a common data model, and of 
providing an integrated view of local schemas, and data modification capabilities, intended 
as the ability to update data and to propagate updates among the various data sources. 
In the literature, several approaches for mediating heterogeneous sources have been pro- 



posed (Arens et al, 1996a; Arens et al, 1993; /Vrens et ai, 1996t; Garcia-Molina et al, 
1997; |Beeriefa/., I99lii.evy et ai, 1996| ; |Subrahmanianef a/., 1996| ; ^iterefa/., 1999| ) but 
most of them only deal with the semantic interoperability problem and do not address data 
modification capabilities. Among those approaches, we recall the SIMS approach (A rens 
et al, 1996a; A.rens et al., 1993 ; Arens et al., 1996b| ), which is based on the creation of 
a global domain model used to represent the various local information sources. Queries 
are expressed in such global domain model and, in order to process them, an optimized 
query plan is built by rewriting global domain queries in terms of local sources queries, 
perf orming a semantic query optimization. The TSIMMIS approach (G arcia-Molina et al, 
1997) addresses the heterogeneous source integration problem by considering a mediator 
network composed of mediators and wrappers. In this network, each mediator is able to use 
local information sources through wrappers and/or through other mediators. Wrappers are 
responsible for converting global queries into local source queries. The Information Mani- 



fold system ( Levy etai, 1 996 ) has been developed with the aim of retrieving heterogeneous 
information over the Web. It provides a uniform access to information sources by using a 
declarative description of both the content and the query capabilities of such sources. The 
descriptions of information sources are stored in the so called "capability records", that are 
used to build efficient local query plans. The meaning of capabiUty records is similar to that 
of "yellow page servers" proposed in the context of the HERMES system (Subrahmanian 
et al., 1996). The aim of such a system is that of providing an environment for defining me- 



diators. It is based on the Hybrid Knowledge Base theory (Lu et al., 1996) for integrating 
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information belonging to different data sources. It provides a general declarative language 
and a specific set of tools whose purpose is to make easier the steps involved in the creation 
of mediators. Global queries submitted to one of such mediators may also trigger actions 
based on the analysis of the answer produced by such queries. 

Related to the general problem of rewriting queries, there is the problem of rewriting 
queries using views, that is particularly relevant in data mining and data warehouse con- 
texts. Such problem can be stated as follows: given a query and a set of views, find a new 
quer y, equivalent to the given one, that uses only the given set of views. In (B eeri et ai, 
1 997 ) this problem has been solved by modeling rewritings in description logics (B orgida, 
1995), showing that, under particular conditions, the considered problem is decidable in 
polynomial time. 

Unlike the above approaches, with the exception of the HERMES one, our approach 
focuses on dynamic aspects. We assume that local data sources are expressed as Active U- 
Datalog databases. Thus, Active U-Datalog can be seen as the interface language between 
local sources and the mediator Local Active U-Datalog databases are then integrated by 
a special mediator, called supervisor, able to retrieve and manage local information. The 
main feature of our system is that both local databases and supervisor are characterized by 
an active behavior intended as the ability of automatically reacting to external events (in 
our context, represented by updates) arising in the system. 

Among the above approaches, only HERMES supports dynamic aspects. However, in 
our approach, actions can be triggered both at the local and at the global levels, respec- 
tively by local databases and the supervisor. By contrast, in HERMES actions can only be 
activated at global level and no support for local activation is provided. 

Finally, some relationships exist also between our work and agent technology. An agent 
can be defined as "a self-contained program capable of controlling its own decision-making 
and acting, based on its perception of its environment, in pursuit of one or more objec- 
tives" ( lennings and Woldridge, 1996| ). An agent should be characterized by several prop- 



erties such as, for example, the ability to interact with other agents and to react to changes 
of its state or arising in the overall environment. The model we have developed partly satis- 
fies the above properties and has therefore some similarities with agent technology. In our 
model, each local database is characterized by a state and by a set of deductive and active 
rules. As such, our local databases are self-contained and able to modify their own state. 
Moreover, communication among local databases is indirectly supported via the supervisor 
since it has a global visibility of the whole system and can use this knowledge to answer 
queries and to perform modifications involving the whole system. However, differently 
from agent systems, the proposed framework has been cast in a specific environment, with 
the aim of providing a formal approach for analyzing heterogeneous environments, both 
from a static and dynamic point of view. This is different from agent technology, since in 
that case methods are provided to deal with arbitrary agents, used to perform specific tasks 
in arbitrary environments. 



2 Amalgamated Active-U-Datalog: the syntax 



In order to support a logical framework modeling cooperation and integration of knowl- 
edge from different and heterogeneous databases, Subrahamanian proposed a framework, 
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based on annotated logic, for amalgamating the knowledge contained in several hetero- 



geneous local databases (Subrahmanian, 1994). Each local database is a generalized an- 



notated program (GAP) (Kifer and Subrahmanian, 1992; Subrahmanian, 1987), that is, a 
logic program whose semantics is interpreted over a complete lattice[]of truth values. Some 



examples of lattices are (Subrahmanian, 1994): 



• the lattice TWO, containing the classical truth value true and false, with false 
lower than true; 

• the lattice FOUR; in such lattice, T represents the truth value inconsistent, _L rep- 
resents the truth value unknown, and t and / represent the usual values true and 
false, respectively; by denoting with < the ordering existing between lattice values, 
the following relationships hold: ± < true, _L < false, false < T, true < T; 

• the lattice Tl[0, 1], set of real numbers between and 1; 

• the lattice TIMEi, representing the power-set of non-negative integers, ordered under 
C; 

• the lattice TIME2, representing the set of all closed intervals of non-negative real 
numbers, ordered under C. 

As we have already remarked, the proposed framework does not model dynamic aspects, 
such as updates and active rules. In order to overcome this limitation, in the following, we 
extend the amalgamation theory to cope with updates and active rules. In order to do that, 
we apply amalgamation theory to local sources represented as Active U-Datalog databases 



(Bertino et ai, 1998). Since Active U-Datalog programs support update representation and 
execution, the amalgamation of Active U-Datalog programs allows us to combine not only 
the static knowledge of each single database but also the dynamic one, represented by 
updates. The resulting language is called Amalgamated Active U-Datalog. 

In the following, we first describe how lattice values can be inserted inside Active U- 
Datalog programs, modeling local databases. The resulting language is called Annotated 
Active U-Datalog. Then, we show how the static and dynamic information contained in 
the local databases can be amalgamated, resulting in the Amalgamated Active U-Datalog 
framework. In defining such new framework, we consider as source for the truth values a 
complete lattice T. 



2.1 Annotated Active U-Datalog 

An Annotated Active U-Datalog program is a logical program modeling both deductive 
rules and active rules. Both deductive and active rules are defined by using deductive and 
update atoms. Such atoms can be annotated with the truth values chosen from a given 
complete lattice T. 

In order to introduce the Annotated Active U-Datalog language, we first define the con- 
cept of annotation, then we introduce the concept of annotated atom, and finally we de- 
scribe the rules that can be represented in Annotated Active U-Datalog. 

^ A lattice is a partially ordered set where all finite subsets have a least upper bound and a greatest lower bound. 
In a complete lattice, the least upper bound and a greatest lower bound also exist for infinite subsets. Every 
finite lattice is complete. 
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2.1.1 Annotations 

Given a complete lattice T, annotations are constructed upon a specific language, called 
T-language. Based on this language, an annotation can be either a syntactic representation 
of the lattice elements or it is obtained by applying a computable function to such elements. 
The representation domain of the T language is therefore the structure corresponding to 
the T lattice. 

Definition 1 {T-language) 

Let T be a complete lattice of truth values. The T-language (C, J-", V), used to represent 
annotations over T, is composed of: 

• a set C of constant symbols; 

• an union T of sets JF* of total continuous^ functions (Ui>i-^')' ^^'^h of type (T)* — » 
T, called annotation functions over lattice T , such that: 

— each / G JF* is computable; 

— each set T"^ contains an i-ary function U^^that, given ^i, . . . , as input, returns 
the least upper bound ilub) of {/ii, . . . , pi\. 

Moreover, we assume that the T-language contains an infinite set V of variable symbols. □ 

We now introduce the concept of annotation. 

Definition 2 (Annotation) 

Let T he a complete lattice of truth values. Let T = (C,JF, V) be a T-language. An 
annotation ijj over T is a term constructed over T (T-term). A T-term t can be either: 

• a simple annotation term, if i G C or t G V; 

• a complex annotation term, if t — f{p.i ... , /x^), where / G J^* and p.i . . . ,pi are 
annotation terms. □ 

In the following, when no otherwise specified, we consider as T-language the language 
in which the constants coincide with the elements of T. 

Example 1 

Let T be the lattice n[0, 1], T = (C, T, V) a T-language such that: 

• C is a syntactic representation of the considered real numbers; 

• T = J-^ is composed of a binary function / : (T)^ — > T returning the minimum 
value between its arguments and a binary function U2 : (T)-^ — » T returning the 
least upper bound between its arguments; 

. V = {Xi,... ,X„,...}. 

Then, 0.75 and Xi are simple annotation terms whereas /(0. 25, 0.75) and 
□2(0.5, 0.75) are complex annotation terms. O 



^ Hence monotonic. 

^ For simplicity, when there is not ambiguity, we use U instead of . 
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2.7.2 Atoms 

The following definition introduces the language over which atoms are constructed. 
Definition 3 (Base language) 

Let T ~ {C,T,V) be a T-language. Let S = {Sc,Sa} be a many sorted signature, 
such that Sc is a set of constant value symbols, and Sq is JF U C. Sets Ec and Ea are 
disjoint. Let 11 be a set of predicate symbols, partitioned into extensional predicate symbols 
n^, intensional predicate symbols 11*, and update predicate symbols 11". We assume that 
11" = {+P, —p I P £ IL^}. Let V he a family of sets of variable symbols for each sort 
V — {Vc, Va}, Va = V. (n, S, V) is called base language. We denote with Terrrit the set 
Ef U Vu with t e {c, a}, g 

The base language can be used to construct atoms as follows. 

Definition 4 (Atoms, annotated atoms) 

Let T — {C,J-,V) be a T-language and (n,Y,,V) a base language. We denote with 
(n, E, F)-atom an atom whose predicate belongs to 11 and whose terms are in Ec U Vc- 
More precisely: 

• (n\ S, y)-atoms are called intensional deductive atoms. 

• (n'^, S, F)-atoms are called extensional deductive atoms. 

• (n", S, y)-atoms are called update atoms. Insertions are denoted by update atoms 
prefixed by +, whereas deletions are prefixed by — . 

• Atoms of the form A : ip, where A is an (intensional, extensional, update) atom 
and ijj is an annotation over T are called annotated atoms. A : i/j is c-annotated if 
V' 6 C, v-annotated if £ V, t-annotated if ?/; is a complex annotation term. The 
meaning assigned to an annotated update atom aiAi : is that of inserting/deleting 
the annotated atom Ai : p,i. 

An annotated literal is an annotated intensional or extensional atom or its negation. An 
atom (literal) is ground if it does not contain variables. □ 

Example 2 

Let T = (C,jr, V) be the T-language of Example 1 and (11, E,V^) the base language 
defined as follows: 

• n = {^^^^^"} ee {pi,... ,p„} u {gi,.. . u {+pi,-pi,... ,+p„,-p„} 

where the arity of pi,l < i < n, and qj,! < j < m, is 2; 

• E = {E„E4 = {{a,5,c},CU.F}; 

• V = {Vc,Va} = {Y,,... ,Yg,...}U{X,,... ,X,,...}. 

Then, pi{a,b) : 0.5 is an extensional c-annotated atom, +pi{a,b) : X\ is an update 
v-annotated atom, whereas c) : /(0.25, 0.75) and (72(^1, ^2) : j{X\.,X2) are inten- 
sional t-annotated atoms, the first is ground, the second is not. O 

In the following, when we do not specify otherwise, we use the term "annotated atom" 
to refer either a c-annotated, a v-annotated, or a t-annotated atom. 

* In the following we assume that a substitution is a pair of functions d = {6c, 9a}, dealing respectively with 
variables in Vc and Va ■ 
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2.1.3 Rules 

Deductive and active rules are defined as follows. 

Definition 5 {AAU-Datalog Deductive Rule) 

An AAU-Datalog Deductive Rule is a rule of the form 

Aq : Ho ^ Ai : /ii, . . . ,Ak : fik\ c^k+iAk+i : A^fe+i, • ■ • ,an^n : Mn 

with aj G {+, — }, j = + 1, . . . , n, and Ai : fii, i — 0, . . . ,n, annotated atoms such 
that: 

• ^0 : Mo is an annotated (11% E, y)-atom; 

• Ai : fii, I = 1, . . . ,k, is a c-annotated or v-annotated (11* U ll'^, S, V^)-atom; 

• Aj : fij, j = k + 1, . . . ,n,is a c-annotated or v-annotated y)-atom; 

• asAg ^ OLtAt for k + 1 < s,t < n, s ^ t. 

Ao : Ho is the head of the rule, Ai : hi,. . . ,Ak : Hkl afe+i^fc+i : Hk+i, ■■■ , (XnAn : Hn 
is the body, Ai ,Ak : /ife is the query part whereas ctfe+iAfc+i :/ife+i,... , a„A,i : 

Hn is the update part; the update and query part cannot be both empty. We require for de- 
ductive rules the following safety condition: each variable appearing in the head (or in its 
annotation) must also appear in a deductive atom in the body of the same rule (or in the 
annotation of its body atoms). □ 

The intuitive meaning of a deductive rule 

Ao ■■ Ho <— Ai : Hi, ■ ■ ■ , Ak : Hkl ak+iAk+i : Hk+i, ■■■ , OLnAn : Hn 

is: "if Ai, i = 1, . . . , /c, is true with truth value /x^, then Ao is true with truth value /io and, 
as side effect, the updates 0{.k^\Ak-\-\ Hk+i, • • • ? ^nAn : Hn are requested". 

Definition 6 (AAU-Datalog Active Rule) 

An AAU-Datalog Active Rule is a rule of the form: 



aiAi : hit ■ ■ I o:kAk : Hk\ Lk+i : Hk+i, ■ ■ ■ ,Ln ■ Hn Qn+i^n+i : fJ-n+i, • • • , 

with aj € {+, = 1, . . . ,k, n+1 . . . , n + m, Ai : /z;, / = 1, . . . , k,n + l, n + m, 
annotated atoms, and Lh : Hh, h = k + 1, ...,n annotated Uterals such that 

• Ai : Hi, i = ^, ■■■ ,k, is a c-annotated or v-annotated (11*, E, y)-atom; 

• Ai : Hi, i = n + 1, ... ,n + m, is an annotated (11^, S, F)-atom; 

• Lj : Hj, j = k + 1, ... ,n, is a c-annotated or v-annotated (11* U H*^, E, y)-literal; 

• apAp UqAq fori < p,q < k,p ^ g, andagAg ^ a(Atforn-|-l < s,t < n+m, 

ot\A\ : Hi, ■ ■ ■ , cikAk : Hk is the event part, Lk+i : Hk+i, ■ ■ ■ ,Ln ■ Hn is the condition 
part, and a„+iA„+i : Hn+i, ■■■ , (Xn+mAn+m ■ l^n+m is the action part, that cannot be 
empty. We require for active rules the following safety conditions: each variable occurring 
in a rule head (or in its annotation) should also occur in the body of the same rule (or in 
the annotation of some of its atoms); each variable occurring in a negated literal (or in its 
annotation) in the rule body must also occur in some positive literal (or in its annotation) 
in the rule body. □ 
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While intensional rules provide deductive power to our framework, active rules allow 
the system to autonomously react to the current (possibly inconsistent) state and to take 
appropriate actions in order to assure desired properties on the final state. The intuitive 
meaning of the active rule 

a\A\ : fii, . . . , akAk : fJ.k\ Lk+i : fJ^k+i, ■ ■ ■ , L„ : fin a„+iAn+i ■ fJ-n+i, • ■ ■ , 

(^n-f m^n + m • fln-\-m 

is: "if the events aiAi : /ii, . . . , akAk : ^^k occur and Li, i ~ k + 1, . . . , n, is true with 
truth value fi„ then execute actions a„+i^„+i : . . . , an+mAn+m ■ fJ-n+m"- 

It is important to note that the previous definition prevents a rule from containing the 
same update atom with two distinct annotations (fourth item of Definitions || and^). 

In the following, we call AAU-Datalog rule both a deductive and active AAU-Datalog 
rule. 

An Annotated Active U-Datalog program (or AAU-Datalog) is finally defined as fol- 
lows. 

Definition 7 (AAU-Datalog program) 

An Annotated Active U-Datalog (or AAU-Datalog) program or database is composed of: 

• a set of c-annotated extensional ground atoms (extensional database EDB); 

• a set of AAU-Datalog deductive rules (intensional database EDB); 

• a set of AAU-Datalog active rules (AR). 

Given an AAU-Datalog program P, we denote with GI(P) all the ground instances of 
rules in P, containing only c-annotations. □ 

Due to the dynamic properties of an AAU-Datalog program, a deductive rule with no 
head and with a non-empty query part is called simple transaction. Simple transactions 
are usually preceded by "?", as usual in deductive databases. A complex transaction is 
a sequence of simple transactions Ti; . . . ; T^, each executed in the state obtained by the 
execution of the previous transactions (see Section 

Example 3 

Suppose that three sensors monitor the air quality in three distinct places of a given town, 
by considering the level of a given set of substances. Depending on whether the level of a 
given substance has a presence above the danger threshold and on how may sensors detect 
this situation, we want to partially or totally block car circulation. If a sensor detects that 
the danger threshold for a given substance has been exceeded twice, a critical situation is 
detected. 

Information concerning the three local sensors can be modeled by three AAU-Datalog 
databases. Partial and total block policies will then be managed by a supervisor (see Exam- 
ple ||). In order to model local databases, we make the following assumption: information 
concerning the level of a given substance is traced by predicate sensor. In particular, the 
annotated atom sensor (X) : t means that the level of substance X has a presence over 
the danger threshold, sensor (X) : f means that the level of substance X has a presence 
under the danger threshold, sensor(X): _L means that we do not know the level of sub- 
stance X. We assume that such predicate is externally updated. We also assume that partial 
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IDBoBi- rl: danger_lv(X) 
r2 : danger.lv (X) 
r3 ; danger.lv (X) 
r4 : danger_lv(X} 

ARoB '■ arl : -over_lv(X} 



Y^sensor (X) : y| . 
t^sensor(X) :t| +over_lv(X) :t. 

t^sensor(X) : t, over_lv (X) :t| +critical_lv (X) :t. 
f ^sensor (X) : f, over_lv (X) :t | -over.lv (X) : t . 
t I crltlcal.lv (X) :t^-crltlcal.lv(X) :t. 



EDBdbi '■ sensor{sl) :t,sensor(s2) :J_,sensor(s3) :t, over_lv (si) :t,critical_lv(sl) :t, 

over_lv(s3) ; t , part ialjDlock { s3 ) :t. 
EDBdBo sensor(sl} : ±, sensor ( s2 } : t , sensor ( s 3 ) : t , over_lv ( s2 ) : t , crit ical_lv ( s2 ) :t, 

over_lv(s3) ; t , part ial_block { s3 ) :t. 
EDBdb^ sensor{sl) : t , sensor ( s2 ) : t , sensor ( s3 ) : t , over_lv { si ) : t , over.lv ( s2 ) :t, 

over_lv(s3) ; t , part ialjolock { s3 } :t. 



Figure 1. The local databases. 



and total blocks information are represented by the extensional predicates totalJolock 
and partial-block, whose arguments are the substances causing the block. 

Figure |l]illustrates the local databases. Predicate dange r_l v specifies whether the dan- 
ger threshold for a given substance has been exceeded and, at the same time, it updates the 
extensional database. In particular, the first time a specific substance exceeds the danger 
threshold, an over level warning is generated, by updating the extensional database. If this 
happens twice, a critical situation is gained and a critical level warning is generated, updat- 
ing again the database. The extensional database is also modified when the concentration of 
the considered substance decreases. In this case, all the warnings are removed. The active 
rule removes critical warnings when the over level warning is removed. 

The local extensional database of DBi specifies that substance s 1 has exceeded twice 
its danger threshold and a substance s 3 has exceeded once its danger threshold. A partial 
block due to substance s 3 has also been detected. No information concerning substance 
s2 is known. A similar situation arises in the local database DB2- On the other hand, in 
the local database DB^, the level of substances si, s2, and s3 has exceeded once the 
related danger thresholds. 

The following are examples of local transactions for DBi: 

1. r =? sensor{sl) : t is a simple transaction that checks whether the substance si has 
a presence over its danger threshold; 

2. T —1 danger dv{X) : t;7 criticaldviY) : f is a complex transaction determining 
for which substances X the danger threshold has been exceeded and for which sub- 
stances Y it has been exceeded twice. O 



2.2 Amalgamated Active U-Datalog 

In order to amalgamate the static and dynamic knowledge deriving from the local data- 
bases, each represented by a AAU-Datalog program, a logical mediator, called supervisor, 
is used. In order to deal with the set of local databases, there is the need of univocally 
identifying each of them. To this purpose, we assume that: 

• each local AAU-Datalog program is univocally identified by exactly one progressive 
numerical constant, starting from 1 ; 

• the supervisor is univocally identified by letter "s". 
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The previous constants are called NAME constants. A NAME-term over a set of NAME- 
constants C is either a subset of NAME-constants, or a variable ranging over NAME- 
constants (NAME- variable). In the following, in order to simplify notation, ground NAME- 
terms containing just one element will be denoted directy by the element they contain. 
Thus, the NAME-term {1} will be denoted by 1. 

An amalgamated atom (Uteral) is simply an annotated atom (Uteral) pointing out the 
identifier of the local database it belongs to. In particular, if A : i/; is an annotated atom 
(hteral) and D is a NAME-term, then A : [D,^/'] is an amalgamated atom (literal). An 
Amalgamated Active U-Datalog {or AmAU-Datalog) program is an AAU-Datalog program 
in which all the atoms are transformed into amalgamated atoms. 

Definition 8 (Amalgamated atom, rule, and program) 

Let tj) be an annotation over a T-language, D a NAME-term, and A an atom (literal). Then, 
A : [D, xjj] is an amalgamated atom (Uteral). An Amalgamated Active U-Datalog rule 
(program) is an AAU-Datalog rule (program) in which each atom is replaced by an amal- 
gamated atom. Given an AAU-Datalog atom, rule, or program K, we denote with AT(K) 
the corresponding amalgamated atom, rule, or program. In particular, if the AAU-Datalog 
program DBi, having i as identifier, contains atoms like A : [tj)], AT(DBi) contains atoms 
MksA : [z,?/;]. □ 

Based on the previous notion, the supervisor database can now be defined as a set of 
rules mediating the static and dynamic knowledge deriving from the local databases, hid- 
ing their internal structure. Thus, a supervisor is an amalgamated AAU-Datalog program, 
whose deductive rules refer to all the existing local AAU-Datalog local databases and 
whose active rules supply a simple and strong mechanism to exhibit a reaction in case 
of complex events involving several local databases of the amalgam. This is quite useful 
in supporting a global reaction in front of a situation that requires checking conditions 
concerning more that one local database. Differently from local databases, the supervisor 
is not characterized by a proper extensional database. Thus, no updates can be executed 
against it. 

Definition 9 (Supervisor, strong supervisor) 

Let DBi , . . . , DBn be n AAU-Datalog programs. A supervisor database /S is an AmAU- 
Datalog program composed of 

• A set of amalgamated deductive rules SIDB of the form 

A: [s,/i] <- Ai : [Di, m], . . . ,Ak : [£>fc,Mfe]| 

where each Di, i = 1, . . . , fc, is a NAME-term over {s, 1, . . . , n}. 

• A set of amalgamated active rules SAR of the form 

aiAi : [Di,iii\, . . . ,akAk : [I?fc,Mfc]| Lk+i : [-Dfe+i, /ifc+i], ... , L„ : 



where Di, i = I, . . . , k.n + 1, . . . , n + m is a ground NAME-term containing just 
one element over {1, . . . ,n} whereas -D^ , j = fc + 1, . . . , n, is a NAME-term over 
{s, 1,... ,n}. 




m. 
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A supervisor is strong if no amalgamated deductive rule contains literals like Lj : [s, Hj] 
in its body. □ 

A supervisor is strong if mediated knowledge does not depend on the supervisor itself. 
This notion will be used in providing a semantics for AmAU-Datalog programs. It is impor- 
tant to notice that the supervisor acts as a filter for the transactions to be executed against 
the local programs, as shown by the following example. 

Example 4 

Consider the case in which the supervisor does not contain any rule. AH queries of type 

would return the unknown truth value (_L), independently from the truth value assigned to 
A in the single local AAU-Datalog programs. 

If we want to assign the truth value (i to the ground atom A only if each of the n local 
programs assigns to A the same value, the following amalgamated rule has to be inserted 
in the supervisor: 

A:[s,V]^A:[l,Vl...,A:[N,V]\ 

By using rules like the previous ones, it is possible to assign a greater priority to a given 
program, to a particular predicate, or to a particular fact. For example, in order to express 
the fact that program i contains more significant information than the others concerning a 
given atom A, it is sufficient to insert in the supervisor the following amalgamated rule: 

A[s,V]^A{X):[z,V]\ 

As another significant example, consider two local AAU-Datalog programs, say DBi 
and DB2, respectively identified by 1 and 2, and FOUR as the source lattice of truth values. 
Suppose that: 

t is contained in DBi, resulting in the 

[l,t\\ +m(X):[l,i]; 
t is contained in DB2, resulting in the 

[2,/] I -m{X):[2,t\. 

If the two programs assign some incomparable truth values to a specific atom constructed 
over p, the supervisor can decide to assign to this atom a particular truth value. For exam- 
ple: 

1) it may assign a combination of the values assigned to the atom by the local databases, 
through the amalgamated rule 

p{X,Y) : [s,U{Z,W}]^p{X,Y) : [l,Z],p{X,Y) : %W]\ 

2) or it may choose the value assigned by program 1, through the amalgamated rule 

p{X,Y) : [s,Z]^p{X,Y) : [l,Zlp{X,Y) : [2,VF]| . O 



• rule p{X, Y):t^ q{X, Y) : t\ + m{X) : 
following amalgamated rule: 

piX,Y) : [l,t]^q{X,Y) : 

• mle p{X,Y) : f ^ q{X,Y) : f\ - m{X) : 
following amalgamated rule: 

p{X,Y):[2,f]^q{X,Y): 
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By combining the knowledge represented by the local programs with the knowledge 
represented by the supervisor, we obtain the overall amalgam of static and dynamic knowl- 
edge. However, in order to complete the amalgamation process, there is the need of speci- 
fying how atoms like Ak : [Dk, Hk] have to be defined, when Dk is a ground NAME-term. 
Such an atom specifies that A}; is true with truth value jik in all the databases whose iden- 
tifiers are contained in D^. The semantics for such atoms is provided by inserting in the 
amalgam an additional sets of rules, called combination axioms. Such rules specify that an 
atom Ak : [Dk, /Xfe], Dk = {ii, in), is true if the following conditions hold: 

\. A: [ii,^iJ,...,A : [?„,Mi„] are true; 
Definition 10 {Combination axioms) 

Let D C { 1 , . . . , n} be a set of NAME-constants, A a deductive atom of the base language, 
and hd ^ annotation. Atom A : [D, fio] is defined by the following combination axiom 

A:[D,\Ji^,]^ f\A■.[^,^ii] 
where hd = |J /U,. In the following, combination axioms will be denoted by C. □ 

Example 5 

Let D = {1, 2}. Consider the following amalgamated rules: 

Ci= A: [1,/io] ^ Ai : [1,/ii], . . . ,^fc : [l,Mfe]| Oik+iAk+i : . . . ,a„A„[l, : /i„] 

C2 = A: [2,7io] <- Ai : [2,-pi], . . . , Ai : [2,/I;]| ai+iAi+i : [2,/I;_,_i], . . . , Q!„iA„[2, : /ij 
The following is a combination axiom for atom A: 

A: [{l,2},U{/xo,Mo}] ^ A:[l,fio],A:[2,JIo]\ . O 

We are now able to define the amalgam of the local databases and the supervisor as a 
program combining the information represented by the various local databases, the super- 
visor, and the combination axioms. 

Definition 11 (Amalgam) 

Let DBi, ... , DBn be n AAU-Datalog program, DBi = EDBi U IDBi U ARi, and 
S = SIDB U SAR a supervisor. Let C be the set of combination axioms. The amalgam 
A of (5, DB\, . . . , DBn) is the amalgamated program defined as follows: 

A = U2=iAT{DBi) U 5 U C. 

The extensional part of the amalgam is EDB^ = U"^^ {AT{EDBi)), the intensional part 
is IDBj^ = iJ-^^^{AT(IDB,)) U SIDB U C, and the active part is 
ARji, = U^^i {AT{ARi)) U SAR. □ 

It is important to remark that, given a set of AAU-Datalog programs, the set of combina- 
tion axioms that can be constructed is fixed, therefore they can be considered as implicitly 
defined by the amalgam semantics. 
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Similarly to AAU-Datalog programs, each operation that can be executed against an 
amalgam is called transaction. A transaction is a deductive rule without head and, as 
such, may execute a query, may require the execution of a set of updates against the local 
databases, and may trigger some active rules both at the local and global level. A transac- 
tion can be simple or complex, as pointed out by the following definition. 

Definition 12 (Transaction) 

Let DBi , . . . , DBn be n AAU-Datalog programs, S a supervisor, C a set of combina- 
tion axioms and A = Llf^^AT{DB,) U C U 5 the amalgam of (S, DBi, ... , DBn). A 
simple transaction T against A is an AmAU-Datalog deductive rule with no head and 
with a non-empty query part; a complex transaction is a sequence of simple transactions 
Ti-...-Tk. □ 



IDBs ■■ pblock (X) : [s, V] ^danger.lv (X) : [1, V] , danger.lv (X) : [2, V] , danger.lv (X) : [3, V] | 
+partialjDlock (X) : [1, V] , +partialjolock (X) : [2, V] , 
+partialjDlock (X) : [3,v] . 
pblock (X) : [s, -L] ^danger.lv(X) : [{1, 2, 3}, _L] | +reread(X) : [1, t] , +reread(X) : [2, t] , 
+reread(X) : [3,t] . 

pblock (X) : [s, -L] ^danger.lv (X):[{1,2,3},T]| +reread (X) : [1, t ] , +reread (X) : [2, t ] , 
+ reread (X) : [3, t ] , +partialj3lock (X) : [1, ±] , 
+partialJolock (X) : [2, J_] , +partialjolock (X) : [3, _L] . 
tblock (X, Y) : [s, t ] ^partial jDlock (X) : [W, t ] , partial jDlock (Y) : [Z, t ] , not.eq (X, Y) : t| 
+totalj3lock (X,Y) : [l,t], +totalj3lock (X,Y) : [2,t], 
+totalJolock (X, Y) : [3,t] . 
tblock (X, Y) : [s, t ] ^cr it ical.lv (X) : [W, t ] , critical.lv (Y) : [Z, t ] , not.eq (X, Y) : t 
+totalJolock (X,Y) : [l,t], ttotaljDlock (X,Y) : [2,t], 
+totalJolock(X,Y) : [3,t] . 
ARs ■■ +partialjDlock (X) : [Y, V] | totaljDlock (W, Z) : [Y, t ] ^-partialjalock (X) : [Y, V] . 
+totalj3lock (X,Y):[z,t]| partialjDlock (W) : [z, V] ^-partialjDlock (W) : [Z, V] . 
+ reread (X) : [Y, t ] | partialjDlock (X) : [H, t ] ^-partialjDlock (X) : [H, t ] . 
+ reread (X) : [Y, t ] I totaljDlock (X, Z) : [H, t ] ^-totaljDlock (X,Z) : [H,t] . 
+ reread(X) : [Y,t] I totaljDlock (Z, X) : [ H, t ] ^-totaljolock ( Z , X) : [H,t] . 



Figure 2. The supervisor database. 



Example 6 

Consider Example |^. In order to decide partial and total blocks of car circulation, suppose 
that the following policy is applied. Car circulation must be partially forbidden if all the 
sensors determine that a monitored substance has a presence above its danger threshold. 
On the other hand, car circulation is totally forbidden if one of the following conditions 
holds: 

• all the sensors determine that two different substances have a presence above their 
danger threshold; 

• for two different substances, a critical situation is detected by some sensors. 

The detection of partial and total blocks requires a cooperation among the various sen- 
sors, therefore this functionality can be assigned to an AmAU-Datalog supervisor database. 
Based on the previous policy, such database can be designed as illustrated in Figure ^ 

Predicate pblock manages partial blocks. In particular, if all the sensors agree in as- 
signing the truth value to atom sensor (X), it assigns the same truth value to the atom 
concerning partial block of car circulation. On the other hand, if all the sensors agree in 
assigning a truth value _L or T to a given substance, some facts are asserted specifying 
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EDB^: sensor (si) : [1, t] , sensor (s2) : [1, _L] , sensor (s3) : [1, t] , over^vCsl) : [1, t] , 
critical.lv (si) : [1, t ] , over.lv (s3) : [1, t ] , partialjDlock (s3) : [1, t ] , 
sensor(sl) : [2,_L],sensor(s2) : [2,t],sensor(s3} : [2 , t] , over.lv ( s2 ) : [ 2 , t ] , 
critical.lv (s2) : [2, t ] , over.lv (s3) : [2, t ] , partialjolock (s3) : [2, t ] , 
sensor(sl) : [3,t],sensor(s2) : [3,t],sensor(s3) : [3,t], over.lv (si } : [ 3, t ] , 
over.lv (s2) : [3, t ] , over.lv (s3) : [3, t ] , partialjolock (s3) : [3, t ] . 

IDBji,: danger.lv (X) : [1, Y] +-sensor (X) : [i, Y] | i=l,2,3. 

danger.lv (X) : [i, t] ^sensor (X) : [i, t] j +over.lv (X) : [ i , t ] , i = l,2,3. 

danger.lv (X) : [i,t]^sensor(X) : [i,t], averJLv (X) : [i, t ] | +cr it ical.lv (X) : [1, t ] , 

i=l, 2, 3 . 

danger.lv (X) : [i,f]^sensor(X) : [i,f], overJLv (X) : [i, t ] | -over.lv (X) : [i, t ] , 

i=l, 2,3. 

pblock (X) : [s, V] ^danger.lv (X) : [1, V] , danger.lv (X) : [2, V] , danger.lv (X) : [3, V] | 
+partialj3lock (X) : [1, V] , +partialJolock (X) : [2, V] , 
+partialj3lock (X) : [3,V] . 

pblock (X) : [s, _L] ^danger.lv (X) : [{1,2,3}, ±] \ +reread(X) : [l,t], +reread (X) : [2, t ] , 
treread (X) : [3, t] . 

pblock (X) : [s, _L] ^danger.lv (X) : [{l,2,3},T]| +reread(X) : [1, t] , +reread(X) : [2, t] , 
+ reread (X) : [3, t ] , +partialjolock (X) : [1, _L] , 
+partlalj3lock (X) : [2, _L] , +partlalj3lock (X) : [3, ±] . 
tblock (X, Y) : [s, t ] ^partialjDlock (X) : [W, t ] , partialjDlock (Y) : [Z, t ] , not.eq (X, Y) : t 
+totaljDlock (X,Y) : [l,t], +totaljDlock (X,Y) : [2,t] , 
+totaljDlock (X, Y) : [3,t] . 
tblock (X, Y) : [s, t ] *— critical.lv (X) : [W, t ] , critical.lv (Y) : [Z, t ] , not.eq (X, Y) : t 
+totaljDlock (X, Y) : [1, t] , +totaljDlock (X, Y) : [2, t] , 
+totaljDlock (X, Y) : [3,t] . 
sensor (si) : [{l,2},U{yi,V2}]^sensor(sl) : [l,Vi], sensor (si) : [2, V2] | . 
sensor (si) : [{1,3}, U{Vi, V3}] ^sensor (si) : [1, Vl] , sensor (si) : [3, V3] | . 
sensor (si) : [ {2 , 3} , U{ V'2 , V3 } ] ^sensor (si) : [ 2 , V2 ] , sensor (si) : [3, V3] | . 
sensor (si) : [ { 1 , 2 , 3} , U{yi, Vb , V3 }] ^sensor ( si) : [1, Vi] , sensor (si) : [ 2 , ^2 ] , 

sensor (si) : [3, V3] | . 

ARj^ : -over.lv (X) : [i, t ] | critical.lv (X) : [i, t ] ^-cr it ical.lv (X):[i,t], 1 = 1, 2, 3. 

+partialjDlock (X) : [Y, V] | totaljDlock (W, Z) : [ Y, t ] — »-partialjDlock (X) : [Y, V] . 
+totaljDlock (X,Y):[Z,t]| partialjDlock (W) : [z, V] ^-partialjDlock (W) : [Z, V] . 
ireread (X) : [Y, t ] | partialjDlock (X) : [H, t ] ^-partialjolock (X) : [H, t ] . 
ireread (X) : [Y, t ] | total.block (X, Z) : [H, t ] ^-totaljDlock (X,Z) : [H,t] . 
+reread (X) : [Y, t ] | total.block (z, X) : [H, t ] ^-totaljDlock (Z, X) : [H, t ] . 



Figure 3. The amalgam of DBi, DB2, DB3 and S. 



that the level for that substance has to be read again. In the first case, this is because local 
databases have no information concerning the level of that substance, in the second case 
because local databases do not agree on such level. Note that in the first case, updates are 
indirectly performed by the first rule. Predicate tblock manages total blocks, as speci- 
fied before. Since a total block is always due to two substances, predicate totalJolock 
specifies also their names. The supervisory database also contains five active rules. In par- 
ticular: 

• the first active rule requires the deletion of a just inserted partial block information 
if a total block information has already been detected. In this case, partial block 
information is discarded by the evaluation process; 

• the second rule deletes all partial blocks information when a total block is detected; 

• the last three rules delete all partial or total blocks information concerning a given 
substance X for which the danger level has to be re-read. 

Figure ^ illustrates the amalgam A of the supervisor together with the local databases of 
the Example || In Figure ^ only some few combination axioms of A are presented; all the 
others axioms are computed as described in Definition |T^. 
The following are examples of transactions for A: 
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1. T =? pblock{X) : [s, t] is a simple transaction checking which substances generate 
a partial block; 

2. T —7 pblock{X) : [s, V]; ? tblock{Y, Z)[s, t] is a complex transaction determining 
the substances generating partial and total blocks. O 

3 Amalgamated Active-U-Datalog: the deductive semantics 

In defining the semantics of an AmAU-Datalog program, we consider as observable prop- 
erties of the transaction execution: the set of bindings (the answer), the new database state, 
and the indication of success (commit/abort) of the transaction itself. The semantics of 
AmAU-Datalog programs, with respect to a simple transaction, can be defined in three 
steps: 

• In the first step, the semantics of the amalgam is computed, collecting the set of 
bindings that satisfy the query and the requested updates. In this step, no update 
is executed and only deductive reasoning is performed. All the updates generated 
during this phase are gathered together but not executed. 

• In the second step, the semantics of the active part of the program is computed, 
according to the model and the updates collected in the first step. The result of this 
step is the set of updates generated either by the deductive and/or the active part of 
the amalgam. In this step, conflicting updates have to be removed. This is possible 
by applying a parametric conflict resolution policy. 

• In the third step, the updates obtained from the second step are executed against the 
extensional database. 

The previous three steps are repeated for each simple transaction contained in a complex 
transaction. Hence, the state of the database evolves after each simple transaction execu- 
tion. 

In the following, we describe in details the first semantic step. The other steps will be 
formally introduced in Sections Q and || 

In order to compute the semantics of the deductive part of the amalgam, we first specify 
how the deductive semantics of the local databases is computed and then we describe how 
the local semantics are combined together to form the semantics of the amalgam. In the 
foUowing, the term "rule" refers to a deductive rule. 

3.1 Deductive semantics of an AAU-Datalog program 

In the following we assume that T is a complete lattice containing the least element ±. 
In order to define the semantics of the deductive part of an AAU-Datalog program, we 
consider an Extended Herbrand Base defined as follows. 

Definition 13 {Extended Herbrand base) 

The Extended Herbrand Base CBc of a base language £=(S, 11, V) is composed of con- 
strained ground atoms of the form A ^ . . . , akDj., where A is a ground (11* U 
n*^, E, l/)-atom and ajDj, j = 1, . . . ,k, are ground (11", E, l/)-atoms. □ 
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Since the language does not contain function symbols, the Extended Herbrand Base 
is a finite set. Similarly to standard logic programming, the Extended Herbrand Base is 
then used to define interpretations. However, differently from the standard framework, an 
interpretation must assign to each constrained atom, belonging to the Extended Herbrand 
Base, a truth value, constructed starting from the considered lattice. Such truth values can 
be formalized by introducing the concept of ideal and of principal. 



Definition 14 {Ideal { Kifer and Subrahmanian, 1992 )) 



An ideal of an upper semilattice|j T is any subset KofT such that: 

1. K is downward closed, that is s E K,t < s ^ t ^ K; 

2. K is closed with respect to the finite least upper bound operation, that is 

s,t E K ^ sUt & K. 

An ideal K is principal if for some pET,K^{s\s< p}. In this case, we use 
p to denote K. An ideal / is null if / = {}■ A principal P is null if P = _L. We let 

U{} = ±. □ 

Now suppose to define an interpretation as a function assigning an ideal (principal) to 
each constrained atom. This means that the truth value is assigned to the constrained atom 
as a whole and not to the various atoms composing the constrained atom, as we would like 
to do. 

In order to overcome the previous limitation, the intepretation is defined as a function 
that, given a constrained atom, assigns a truth value to each atom appearing in it. Thus, if 
the constrained atom contains n — 1 update atoms in its body, the interpretation function 
must assign to the constrained atom n truth values, one for the head of the constrained 
atom and n — 1 for the update atoms in the body. In order to formalize this concept, it is 
useful to introduce the concept of n-ideal and rt-principal. 

Definition 15 (n-ideal, n-principal) 

Let T an upper semilattice. An 7i-ideal of an upper semilattice T is a tuple composed of n 
ideals of T; with n-I we denote the set of all the n-ideals of T. An n-principal of an upper 
semilattice T is a tuple composed of n principals of T; with n-P we denote the set of all 
the n-principals of T. An n-ideal is null (denoted by 5) if all components represent the null 
ideal. An n-principal is null (denoted by Sj.) if all components represent the null principal. 
Moreover, the following sets are introduced: N-I — [J^ n-I and N-P = [J^ n-P. We let 

US Sr. □ 

Note that, since a principal is also an ideal, an n-principal is an n-ideal. The main dif- 
ference is that each single element of an n-principal is an ideal that can be identified by a 
single value whereas each single element of an n-ideal is a generic ideal. 

It is also important to note that n-ideals (n-principals) of a complete semilattice T can 
be seen as ideals (principals) of the complete lattice T", in which the order < is defined 



component by component, in the obvious way ( [Subrahmanian, 1994j ). 
Intepretations can now be defined as follows. 

^ A set R is an upper semilattice, with respect to a given ordering, if any pair of elements of R has a least upper 
bound in R. 
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Definition 16 {Interpretations) 

Let C be the base language and T a complete lattice. An Herbrand interpretation {re- 
stricted Herbrand interpretation - r-interpretation-) / of £ is any total map from the ex- 
tended Herbrand Base CBc to N-I {N-P). Thus, each constrained atom is mapped into an 
n-ideal (n-principal). We assume that the first ideal of the n-ideal is assigned to the head 
of the constrained atom whereas all the other ideals are assigned to update atoms in the 
body, following the ordering by which they appear. □ 

Based on the previous definition, an interpretation can always be seen as a set of ground 
and c-annotated constrained atoms and in the following we often use this notation. Suppose 
I{A <— aiDi, . . . , akDk) — < po, pi, ■ ■ ■ ,Pk >. In the following we denote /ip with 
Io{A ^ aiDi, ... , akDk) and with Ij{A <- aiDi, . . . , afcDfc), j = 1, . . . , A:. 
Moreover, to simplify the notation, we assume that all constrained atoms mapped to the 
null n-ideal are not specified when describing the interpretation and all constrained atoms 
mapped to the null n-principal are not specified when describing the r-interpretation. 

When T is a complete lattice (according to the order <), the order < can be extended 
point to point to the r-interpretations as follows: let J, / be r-interpretations, then / < / if 
and only if, for each A ^ ctiDi, . . . , akDk G CBc, the following condition holds: 

Ij{A^ aiDi,... ,akDk) <l-j{A ^ aiDi, . . . ,akDk), j = 0,... ,k. 

Starting from the notion of r-interpretation, it is possible to define when a constrained 
ground atom is true in an interpretation. 

Definition 17 {R-satisfaction) 

Let / be an interpretation, < fiQ, pi, . . . , fik > a list of c-annotations on a lattice T, 
L = A ^ aiDi, . . . , akDk G CBc- I satisfies the ground constrained annotated atom 
M EE A : ^0 ^ aiDi : ^i,... ,akDk : fik {I h M) if and only if I{L) C < 
/iQ, Pi, ■ ■ ■ , fJ'k >■ Let / be an r-interpretation, < /iq, /ii, . . . , /ifc > a list of c-annotations 
on a lattice T, 

L = A ^ aiDi, . . . , akDk G CBc- I r-satisfies the ground constrained annotated atom 
M = A : fio ^ aiDi : pi,. . . , akDk ■ Pk {I M) if and only if /ig < Io{C) and 
tij<Ij{L),j^l,... ,k. □ 

Example 7 

Let T be Tl[Q, 1], A < hDi, G CBc- Let / be an r-intei-pretation such that 

• I{A ^ +£»!, +D2) = (0.22, 0.5, 0.6). 

• for any other constrained ground atom K G CBc, I{K) = 6r- 

I satisfies the ground constrained annotated atom A : 0.2 ^ +Di : 0.3, +D2 : 0.5 
since 0.2 < 0.22, 0.3 < 0.5, and 0.5 < 0.6. O 

Based on the previous concepts, we can now define a fixpoint operator Tp, computing 
the semantics of the deductive part. Intuitively, given an interpretation /, operator 7p(/) 
applied to a constrained ground atom A returns the least n-ideal for A, containing all the 
n-ideals for A that can be computed starting from rules in GI{IDB p U EDBp)j^-whose 

^ We recall that GI(P) represents all the c-annotated, ground instances of P. 
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body is satisfied by /. The operator introduced in the following definition extends the one 



presented in (Kifer and Subrahmanian, 1992) to deal with constrained atoms and ?i-ideals. 



In particular, the computation gathers updates generated from atoms in the body of a rule 
and assign them to the atom in the head. 

Definition 18 {Operator Tp) 

Let T he a complete lattice, / an interpretation and P ~ IDBp U EDBp U ARp 
an AAU-Datalog program. For any constrained ground atom A G CBc, A = H ^ 
a'D[, . . . , oi'f^D'f., Tp{I){A) is defined as the least n-ideal of T containing the follow- 
ing set: 

{< ^^,^H, ■ • • ,M/c >l 

3H : fiQ ^ Bi : pi,. . . , _B„ : /x„| a„+i£>„+i : ^„+i, . . . , 

an+pDn+p : Hn+p £ GI{IDBp U EDBp) 
3ri, ...,r„ ru ^ Bu ■■ fiu ^ o^IdI :, . . . ,al''-Dl^, u = l,... ,n 
/ ^ r„, u = l,... ,n 
{"1^1 ^a^D,, ■■f^k} = 



— {c^ri+l^'ji+l ■ fJ-n+1, ■■■,Oln+pDn+p '■ Pn+p}\^ 



+ 

a — 1, ... ,71 
\t ^ 1, . . . I 



} 



The set A U S is defined as the usual set union with the following exception: if A contains 

aD : [Li and B contains aD : fi2, then AU B contains aD : U{/ii,/i2} and does not 
contain aD : fii and aD : /i2. D 

Example 8 

Let T = (C_i_jF, V) and (11, S, V) be respectively the T-language and the base language 
of Example^ and P the AAU-Datalog program defined as follows: 

IDBp: rl: qi (a, b) : . 5^pi (a, b) : . 5| +P2 (a, b) : . 75 . 

r2 : qi (Yi, Y2) :Xi^pi (Yi, Y2) : Xi , q2 ( Yi , Y2 ) :Xi| +p2 (Yi, Y2) : Xi . 
r3: q2(Y3,Y4) : X2^P3 (Y3, Y4) : X2, pa (Y4, Y5) iXsj +P2(Y3,Y4) :X3, 
+P3(Y3,Y4) :X3. 

ARi: arl: +p2 (a, b) : . 75 ] pi (a, b) : . 5^+pi (a, b) : . 75 
EDBp : pi(a,b) :0.5,p3(a,b) :0.5,p3(b,c) :0.75. 

Let A e CBc, A = qi{a, b) < hp2(a, b), +^3(0, b), and / be the following interpretation 

(which is also an r-interpretation): 

I{pi{a,b)) =0.5 

I{p3{a,b)) =0.5 

IiP3{b,c)) =0.75 

I{qi{a,b) ^ +P2{a,b)) = (0.5,0.75) 

Iiq2{a,b) ^ +P2{a,b),+p3{a,b)) = (0.5, 0.75, 0.75) 

I{K) = Sr for any other constrained ground 

atom K e CBc 

Tp{I){A) is the n-principal (0.5, 0.75, 0.75). Indeed: 
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• qi{a,b) : 0.5 ^ Pi(a,6) : 0.5,q2ia,b) : 0.5| +^2(0, 6) : 0.5 £ GI{IDBp U 
£;i:>Bp); 

• pi{a.h) : 0.5 e I,P3{a,b) : 0.5 £ hpzih.c) : 0.75 £ I,q2ia,b) : 0.5 ^ 
+P2(a, 6) : 0.75 G /, +^3(0, 6) : 0.75 G /; 

• {+P2(a,6) : 0.5)}U{+P2(a,6) : 0.75, +^3(0, : 0.75)} = {+P2{a,b) : U2{0.5, 
0.75}, +P3(a, 6) : 0.75}, thus obtaining the set {+p2 (a, 6) : 0.75, +^3(0, 5) : 
0.75}. O 

Given a constrained atom A and an interpretation /, Tp{r){A) is an n-ideal, thus it is 
a set of tuples of lattice values]^ However, n-principals more clearly characterize the se- 
mantics value of a given constrained atom, since they can be represented by using just one 
tuple of lattice value. Thus, they are good candidates for defining a bottom-up semantics 
for AAU-Datalog databases. 

In order to use n-principals in defining the semantics of a AAU-Datalog program, a new 
fixpoint operator has to be defined dealing with n-principals. Similarly to what has been 



done in (Kifer and Subrahmanian, 1992), such an operator can be easily defined starting 
from operator Tp, by combining together all the tuples of ideals generated for a given 
atom. More formally, the operator, denoted by Rp, can be defined as follows. 

Definition 19 {Operator Rp) 

Let / be an r-interpretation and P an AAU-Datalog program. The operator Rp{I), for any 
A £ CBc, is such that Rp{I){A) = UTp{I){A), where UTp{I){A) is a shorthand for 

Tp and Rp satisfy several important properties, as pointed out by the following theorem. 
Theorem 1 

Let P be an AAU-Datalog program, / an r-interpretation. Then: 

1. Tp is monotonic and continuous; 

2. i?p is monotonic; 
2>.Tp]u^ lfp{Tp)-^ 

4. lfp{Tp) is a model for P. 



Proof: It follows from (Kifer and Subrahmanian, 1992), by considering T" as a complete 



lattice. □ 
Since we would like to use Rp to compute the semantics of a AAU-Datalog program, 
thus assigning a single n-principal to each constrained atom, we must be able to compute 
the fixed point of Rp. The main difference between Tp and Rp is that the first is contin- 
uous while the second is not, as shown by the following example, taken from (Kifer and 
Subrahmanian, 1992). This implies that Rp f a; is not a fixed point for Rp. 



Note that in the previous example we deal with n-principals, but in general the Tp operator generates an 
n-ideal. 

8 As usual, T],{I) = Tp(/), T'^^ = Tp{T\,{I)), and Tp \ ui = Ui^i>({}) and Tp T ^(A) = 
U,T|,({})(A). 
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Example 9 

(Kifer and Subrahmanian, 1992) Suppose T is the interval of real numbers [0, 1] with the 



usual ordering and consider the following program: 

p: ^ <~p:x\ 
q:l^p:l\. 

It is quite easy to prove that Tp ^ i, < i < uj, always assigns the empty ideal {} to q. 
Therefore, Tp u!{q) = {}. According to the restricted semantics Rp f = {a\a < 
1}. On the other hand, according to the general semantics, Tp t ^^{p) = {a\a < 1}. This 
means that from the r-semantics we obtain Rp{Rp f tL!){q) = T while from the general 
semantics we obtain Tp{Tp "f 'jj){q) = {}. Thus, Rp f is not a fixpoint of Rp in the 
r-semantics but, in the general semantics Tp j is a fixpoint of Tp. O 

In order to make valid the equation Rp ] lu = lfp{Rp) and using Rp for computing 
the deductive semantics of an AAU-Datalog program, some sufficient conditions have to 



be proposed. To this purpose, in ( |Kifer and Subrahmanian, 1992| ) the notion of acceptable 



program has been introduced. In the following, the notion of acceptable program is revised 
to deal with constrained atoms. As we will see, for any acceptable program P, Rp ] lo = 
lfp{Rp). Informally, an acceptable program P is a program in which any c-annotated 
literal appearing in the body of a rule in P is reachable by Tp in at most u) step. 

Definition 20 {Acceptable program) 

An AAU-Datalog program P is said to be acceptable if and only if for any c-annotated 
literal A : ^ appearing in the body of a rule r of P, for any constrained annotated atom 
M G CBc with the same head, if U{Tp ] lo) ^ M', for some ground instance M' of M, 
then Tp 1 uj ^ M' . In the previous formula, U{Tp t oj) is a shorthand for IJ^ UTp ] 

uj{A). □ 

The following proposition presents a syntactic characterization of acceptable programs. 
Proposition 1 

Let P be an AAU-Datalog program such that one of the following conditions holds: 

1 . all rules contain only c-annotated atoms in their bodies; 

2. all rules contain only v-annotated atoms in their bodies. 

Then P is acceptable. 
Proof Sketch: 

1. Under the hypothesis, Tp \ io{A) is a finitely generated ideal for every A and it is 
also an n-principal. Thus, U(Tp f tj) = Tp ] lu and therefore the thesis follows. 

2. The thesis trivially follows because, under the hypothesis, no condition has to be 
checked. □ 



If a program P is acceptable then Rp 'I uj ~ lfp{Rp) holds and is possible to establish 
a relationship between Rp and Tp. 
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Theorem 2 

Let P be an acceptable AAU-Datalog program, T a complete lattice. Suppose that T is 
endowed with the least element L, then Rp ] uo = lfp{Rp) — U{lfp{Tp)). The fixpoint 
semantics of P is defined as = lfp{Rp). □ 

In order to prove the previous theorem, we need a lemma. 

Lemma 1 

Let P be an acceptable AAU-Datalog program over a complete upper semilattice T with 
the least element _L. Then: 

L Rp]uj = UTp T uj. 
2. Rp{Rp ] Lo) = Rp] Lo. 

Proof 

1. In order to prove the first statement we prove that Rp ] oj Z) U{Tp ] ui) and 
viceversa. 

(a) Rp t w 3 LJ(rp ■[ Lo): The proof of this case follows from the proof presented 
in ( ^ifer and Subrahmanian, 1992 ), by considering T" as complete lattice. The 
proof does not use the notion of acceptability (which has been changed with 



respect to (tCifer and Subrahmanian, 1992)) but only the properties of Tp and 
Rp, presented in Theorem 
(b) Rp] uj<Z U(Tp 1 1^): We show that, for all i and A e CBc 

U{Tp]uo){A) D {Rp]i)iA). 

From the previous statement, it follows that: 

U(Tp r uj){A) 2 {{Rp ] i)iA)\i = 1, 2, ....} ^Rp]u; 
which is the thesis. We prove (|lb|) by induction on i. 

The base case is trivial since 6r — U(5, by definition. For the inductive step, we 
assume that U{Tp ] iLj){A) D {Rp ] k){A) and we prove that it holds also for 
k + 1. 

By definition of Rp, 

Rp{Rp ] k){A) = U{< ^'fc >\H:fio^Bi:tii,...,B 

Ctn+lDn+l '■ f'n+l, ■ ■ ■ , Oln+pDn+p '■ f-n+p G GI{IDBp U EDBp), 

3ri, ...,r„, Tu = Bu : M« ^ "i-D^ : fii, . . . : u=l,... ,n 

Rp ] k \='' ri, i ^ 1, . . . ,n 
A^H^a[D[,... ,a'^D'^ 



{aiL>i : 111,. . . ,akL>k ■ i^ki 



I 



}\J\ U K^^mU 

, u — 1 , . . . , n 
Vt ^ 1, . . . ,nu 



By the inductive assumption, we have U(Tp ] iLj){A) 2 {Rp ] k){A) and 
therefore 



U(Tp ] co) ^ Bu : fin ^ alDl : fil . . . ,a^-D^ : u^l. 



,n 
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Because of the acceptabihty of P, this also means that 



and therefore < /Iq, /z'j^, ^'j, >e Tp f From this, the thesis follows. 

2. The proof of the second statement follows from the monotonicity of Rp and since 
Rp t w 3 Rp t i, for all i. The other inclusion is proved similarly to the proof of 
the first statement, case |T^ □ 

From the proof of Lemma [l| it is now easy to prove Theorem ^. 
Proof of Theorem By statement (1) of Lemma [l| and by Theorem |l], it follows that 
Rp] oj = U{lfp(Tp)). By (2) of Lemma [l|, Rp t w is a fixpoint of Rp, and, due to the 
monotonicity of Rp, it is the least fixpoint. □ 



3.2 Deductive semantics of the amalgam 

Starting from the deductive semantics of the local databases, it is quite easy to compute the 
deductive semantics of an AmAU-Datalog program. Indeed, all the presented definitions 
and results still hold when applied to amalgamated atoms, since such atoms only differ 
from the annotated ones due to the presence of a label indicating the database to which 
they refer Thus, the semantics presented for AAU-Datalog programs can also be applied 
to AmAU-Datalog programs. 

In the following, to emphasize the fact that we are considering the fixpoint operator 
associated with an amalgam, an r-interpretation for an amalgam is called AM- interpretation 
and operator i?p is renamed as AM p. 

It is now interesting to establish some connections between the semantics of the amal- 
gam and the semantics of the local databases. To this purpose, similarly to what has 



been done in ( Subrahmanian, 1994 ), we introduce two notions that allow one to relate 
r-interpretations and AM-interpretations. In particular, given an r-interpretation, we call 
locale the set of AM-interpretations that agree with that r-interpretation as far as a par- 
ticular local database is concerned. On the other hand, given an AM-interpretation I, the 
projection of / on a given local database DB is the (unique) r-interpretation obtained by re- 
stricting I to DB. In the following, given an AM-interpretation /, we denote with I{B){i) 
the n-principal assigned to B in DBi. 

Definition 21 (Locale) 

Let be an r-interpretation for an AAU-Datalog program DBi. The locale of is the 
set |/«"»' I jam/ an AM-interpretation and V constrained ground atom 

I''-^\B){i) = P°''{B)}. □ 

Definition 22 (Projection) 

Let A be the amalgam of (S, DBi, . . . , DBn) and an AM-interpretation. The pro- 
jection of 1°'™'' on DBi, with 1 < i < n, is the r-interpretation /'°^ defined as = 
I<'"'\A){i). □ 
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Example 10 

Let DBi , DB2 be two local AAU-Datalog databases. Suppose that the base language con- 
tains only the extensional unary predicates p and q. Let FOUR be the lattice of truth values, 
and 7°'"' the following A-interpretation: 

J'""'(p(a))(l) = t. /™'(]5(a))(2) = /. 
J"'"'(g(a))(l) = T. /™'(g(a))(2) ^ t. 

The projection /'°^ of J"™' on DBi is the following r-interpretation /: 

P°%p{a))^t. /'°=(g(a)) = T. O 

Starting from the previous notions, the following results can be stated, pointing out 
the relationships between the fixed point semantics of the amalgam and that of the local 
databases. 

Theorem 3 

Let DBi , . . . , DBn be n AAU-Datalog programs, S a supervisor, and A the amalgam of 
(S, DBi , DBn). Let 7'^™' be the fixed point of AM a and the projection of 7'^™' 
on DBj, j = 1, ...,n. Then is the fixed point of Rd Bj ■ 



Proof Sketch: It follows from ( Subrahmanian, 1994 ), since AmAU-Datalog programs can 



be seen as positive GAPs, where update atoms are never evaluated. □ 

Intuitively, Ij is the r-interpretation obtained by extracting information about DBj from 
jam; rpjjg theorem says that every fixed point of the amalgam is an expansion of a corre- 
sponding fixed point of a local database, but it does not say that every fixed point of the 
operator associated with a local database can be expanded in a corresponding fixed point 
of the amalgam. This result is valid if the supervisor is "strong" (see Definition ||). 

When the supervisor is strong, every fixed point of a local database can be expanded to 
a fixed point of the amalgam, as stated by the following theorem. 

Theorem 4 

Let DBi , . . . , DBn be n AAU-Datalog programs, S a strong supervisor, A the amalgam 
of (_S, DBi, ... , DBn), and be an r-interpretation. If 1^°" is the fixed point of RoBj, 
an A-interpretation J"^™' in the locale of exists such that is the fixed point of 
AMa. 



Proof Sketch: It follows from ( Subrahmanian, 1994 ), since AmAU-Datalog programs can 



be seen as positive GAPs, where update atoms are never evaluated. □ 

The deductive semantics of a simple transaction T with respect to the amalgam 
A = iJ^^-^AT{DB^) U C U S" is defined by using the fixpoint operator AMp. As usual 
in database systems, we give a default set-oriented semantics, that is, the query-answering 
process computes a set of answers. Before formally introducing the semantics, we need 
two auxiliary definitions. 

Definition 23 

Given a set of bindings h, a transaction T, and a substitution 
9 = {Vi ^ ti, . . . ,Vn^ tn}, we define 
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= {{X =t) eb\X occurs in T}; 



• eqn{e) = {Vi^h,... ,V^=tn}. □ 

In the following, we denote with Set(T, A) the set of pairs {bindings, updates) com- 
puted as answers to the simple transaction T (as we will see in Section |[ in a complex 
transaction, the answers are computed for each transaction in the sequence, therefore the 
definition has not to be changed). 

Definition 24 {Query answers) 
Let 

• A ^ [J2^^AT{DBi) U S* U C be the amalgam of n acceptable AAU-Datalog pro- 
grams over a complete lattice T, with a strong supervisor S = SIDB U SAR; 

• IDBa = U'1^i{AT{IDBdb,)) U SIDB U C; 

• T = Bi : [Ci,/ii],... ,Bn : [Cn, ^J'n]\0ln+lDn+l '■ Mn+l] i ■■ • J 

Un+kDn+k '■ [En+kT IJ-n+k], a simple transaction such that Ci is a NAME-term 
over {s, 1, . . . , n}, i — 1, . . . , n, i?j is a ground NAME-term containing only one 
element over {!,... , n}, aj G {+, — }, j = n + 1, n + k. 

We define the operator Set as follows: 
Set(r,F) = {(6,17)1 

i = 1, ...,n, 

e = mgu{{Bi : [Ci,/ii], ... , -B„ : [C„,^„]), (Ai : [Ci,]!^], ... , 

An ■■ [a., /!„])) 

b = eqn{9)\T 

U — {{Un+lDn+l ■ [En+1 , fin+l])6 , ■ ■ ■ , {ctn+kDn+k ■ [En+k, 



. i — 1. . . . ,n 
\u ^ 1 . . . ,ki 



} 



J 



where U is defined in Definition 1 8l 



□ 



Example 11 

Consider the amalgam presented in Example ^ Figure Q presents the computation of the 
fixed point for the considered AmAU-Datalog program. Let T ~1 pblock{X) : [s,t], 
iblockiY, Z) : [s, t] be a simple transaction checking if there is a partial block due to any 
substance and a total block due to any pair of substances between sl,s2 and s3. It is easy 
to verify that 



Set(r, A) = {{{X ^ s3, Y ^ sl,Z ^ s3}{+overJv{sS) : [1, t], +overJv{s3) : [2, t], 
+overJv{s3) : [3,t], +criticaljv{s3) : [l,t], +criticaljv{s3) : [2,t], 
+criticalJv{sS) : [3,t],+partialJ)lock{s3) : [l,t],+partialJ)lock{s3) : [2,t], 
+partialJ}lock{s3) : [3,t], +totalJ)lock{sl, s2) : [l,t], 

+totaljblock{sl,s2) : [2,t], +totalJblock{sl, s2) : [3,t].})} O 



28 



E. Bertino, B. Catania, and P. Perlasca 



AM\{<!i) = { sensor(sl) ■ [l,t\,sensor(s2) : [1, ±],sensor(s3) : [l,t\,overJv{sl)\l,t\, 

critical Jv (si) : [1, i] , over J^;(s3) [1, i] , pariia/_6/oc/c(s3) [1, , sensor(sl) : [2, _L] 
sensor(s2) : [2,t], sensor(s3) : [2,t],overJv{s2)l2,t],criticaUv{s2) : [2, t], 
over-lv{s3)[2, t]jpartial-block{s3)[2, t]j sensor{sl) : [3,t],sensor{s2) : [3,t], 
sensor{s3) : [3, t], overJv{sl)[3j t], overJv{s2)[3j t], overJv{s3)[3j t], 
partial.block{s3)[3, t]. } 
AM^(0) = AM\(@)u{ dangerJv(sl) : [l,t] ^ +overJvisl) : [l,t],+criticaUv{sl) : [l,t], 

danger Jv{s2) : [1, ±], danger Jv{s3) : [l,t] < \-overJv{s3) : [1,*], 

+criticaljv{s3) : [l,i], 

danger Jv{sl) : [2,l.],dangerjv{s2) : [2.t] < \-over Jv{s2) : [2,i], 

+criticaljv(s2) : [2, t], 
[2, t] ^ +ot>erJj)(s3) : [2,t], +criticaUv(s3) : [2,t], 
[3,t] ^ +otierJ?;(sl) : [3, t] , +criticaZ Ji;(sl) : [3,t], 
[3,t] ^ +ot;erJt)(s2) : [3, t], + critical Jv(s2) : [3,t], 
[3, i] « hover Jv{s3) : [3^ t], -\-criticalJv(s3) : [3,i], 



(iarig'erJf(53) 
danger Jv(5l) 
danger_lv(s2) 
danger Jv{s3) 
danger Jv (si) 
danger Jv{sl) 



danger Jv(sl) 
danger Jv{s2) : 
danger Jv{s2) : 
dangerJv{s2) : 

dangerJv{sS) : 

danger Jv{sS) : 



[{1,2},*] 
[{1,3},*] 

[{2,3},*] 
[{1,2},*] 
[{1,3},*] 
[{2,3},*] 

[{1,2},*] 

[{1,3},*] 



+oi;er_/i?(sl) : 
+oi;er Ju(sl) : 
-\-overJv{sl) : 
+oi;er_/v(sl) : 



[1, t], -\-criticaUv{sl) : 
[1, t], +criticaZ Jti(5l) : 
[3, t], +critica^J?;(sl) 

[3, t], -\-criticalJv{sl) ; 



danger Jv(s3) : [{2,3},t] 



danger Jv{sl) : 



danger Jv{s2) 



[{l,2,3},t] 
[{l,2,3},t] 



danger Jt;(53) : [{l,2,3},t] 



+oi;er_/t?(s2) : [2, t]. -^critical _lv{s2) 
-\-overJv{s2) : [3, i] , +critico/Jv(52) 
+ot;erJ?j(s2) : [2,t],-\-criticalJv{s2) 
-\-overJv{s2) : [3, t] , +critica/Ju(s2) 
-\-overJv{s3) : [1, i], +criiica/Ji!(s3) 
+ot'er Jf(s3) : [2, t], -\- critical Jv{s3) 
-\-over-lv(sS) : [1, t], +critica/Jv(53) 
+o'uer Ji;(s3) : [3, t]^ -\-criticalJv{s3) 
-\-overJv{s3) : [2, t], +crztzca/Ji;(s3) 
-\-overJv{s3) : [3, , +crzi«ca/Jv(s3) 

■* \-overJv(sl) : [1, t], -\-criticalJv{sl) 

-\-overJv{sl) : [3,t], -\-criticalJv{sl) 

< ^overJv(s2) : [2, t]., -\-criticalJv(s2) 

-^overJv(s2) : [3, t], +criticaljv{s2) 
■ -\-overJv{s3) : [1, t]. -\-criiicalJv{s3) 



[1,*], 
[i-t], 

[3,*], 
[3,t], 
[2,*], 
[3.*], 
[2,t], 
[3,*], 
[1,*1, 
[2,*], 
[1-t], 
[3,*], 
[2,*], 
[3,*], 
:[l,t], 
: [3,*], 
:[2,t], 
: [3,*], 
: [1,*], 
: [2,*], 
: [3,*], 



tblock{sl, s2) : [s, t] 



AM^(0) U { pblock{s3) : [s, *] 



[2, *], +critical-lv{s3) 
[3jt], +criticalJv{s3) 
[l,t],+totalJ>lock{sl,s2) : [2,*], 

[3,*], 



-\-overJv{s3) : 

-\-overJv{s3) : 
-\-total.block{sl , s2) ; 
-\-totalJ)lock{sl, s2) : 

} 

-\-overJv{sS) : [l,t],-\-over-lv{s3) : [2,t], 
+overJv(s3) : [3, t], -\-criticalJv{s3) : [1,^], 
-\- critical _lv(s3) : [2, t], +criticaljv(s3) : [3,t], 
-\-partial-block{s3) : [l,t], -\-partial-block(s3) : [2,t], 
-\-partial-block{sS) : [3,t]. } 



AM*(0) = AM^(0)=JF(^) 



Figure 4. The fixpoint computation 
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4 Active part semantics 

After computing the deductive semantics of amalgam, active rules have to be considered 
in order to determine which additional updates they generate. The active part semantics is 
directly defined for the amalgam and is given following the line of the PARK semantics 



proposed in ( Gottlob et ai, 1996 ) 



In order to introduce such semantics, three main aspects have to be considered: 

• First of all, we have to determine which active rules are fired. An active rule is fired 
if all update atoms contained in its body have already been generated either by a 
deductive rule or by another active rule and all the deductive atoms can be deduced 
from the deductive rules. 

• After deciding which rules are fired, a mechanism has to be proposed to deal with 
conflicts, i.e., insertion and deletion of the same information. In particular, conflicts 
have to be detected and removed by using a conflict resolution function. 

• Finally, we have to specify how the overall triggering process takes place, since 
updates generated by an active rule can trigger a different active rule and this process 
can be iterated. Conditions to guarantee termination have also to be presented. 

In the following, all the previous aspects are discussed in details. 



4.1 Validity conditions 

An active rule is fired if the following conditions hold: 

• each update atom in the event part of the active rule has already been generated either 
by the deductive part or by firing another active rule; 

• each positive atom in the condition part of the active rule is satisfied by the deductive 
part semantics; 

• each negative atom in the condition part of the active rule is not satisfied by the 
deductive part semantics. 

The previous conditions point out that validity of event-condition atoms has to be 
checked with respect to something different than r-interpretations, since also update atoms 
have to be considered. To this purpose, the concept of restricted-intermediate interpreta- 
tion (ri-interpretation) is provided. 

Definition 25 {ri-interpretation) 

Let be the set of ground, non annotated atoms that can be constructed over a base 
language C. Let The a complete lattice. An ri-interpretation is a function associating with 
each element of a principal of T. We denote with RI(T) the set of all ri-interpretations 
over T. □ 

Similarly to r-interpretation, also ri-interpretations can be seen as a set of amalgamated 
(but not constrained) atoms. In the following, for the sake of simplicity, we use this set- 
based notation. 
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To establish when an active rule can be triggered, we introduce a validity predicate. 
Given an amalgamated atom and an ri-interpretation, the validity predicate returns true if 
the atom is vaUd in the considered ri-interpretation. 

Definition 26 (Validity) 

Let a be a ground amalgamated literal, a is valid in an ri-interpretation / (denoted by 
valid{a, /)) if one of the following conditions holds: 

{in {A: [D,-il],+A: ^ 0, /x < /I and a = A : 



(7n : [D,-p],+A : [D,Ji]}) = or -A: [D,-p] G I,n<JI and a = -.^ 

+A : [D,]i\ e I, ^ <JI and a = +A 

—A : [D ,]!] £ I , fj. < JI and a = —A 



□ 



According to the previous definition, a positive amalgamated (11^ U 11% S, y)-atom is 
valid in 7 if 7 contains the same atom with a greater annotation or if an atom with a 
greater annotation has to be inserted. A negative amalgamated U H*, S, y)-atom is 
valid in 7 if 7 contains an update deleting the same atom with a greater annotation or if 
the corresponding positive atom is not vaUd. An amalgamated (11", S, F)-atom is valid 
in 7 if 7 contains the same atom with a greater annotation. Notice that both A : [D, fj\ 
and -^A : [73, /i] can be valid according to this definition. The intuition behind the above 
definition is that since a positive or negative atom belongs to the condition part of the active 
rule, its validity must be checked with respect to the derived atoms and also to the inserted 
and deleted atoms. Otherwise, to represent the occurrence of an event, we require that just 
the update modehng such an event belongs to the ri-interpretation. 

An active rule is therefore triggered by an ri-interpretation 7 if all its event-condition 
atoms are true with respect to 7. 

Definition 27 

Let 7 be an ri-interpretation and r an AmAU-Datalog active rule, r is triggered by 7 if aU 
the event-condition update atoms and literals in r are valid in 7. □ 

Example 12 

Let 7 be an ri-interpretation such that +P2 (a, : [1,0.75] e I,pi{a,b) : [1,0.75] € 7. Let 
r, s be the following AmAU-Datalog active rules: 

r: +P2{a,b) : [1, 0.75] | pi(a, 6) : [1, 0.5] ^ +pi(a, 6) : [1,0.75]; 
s : +P2ia,b) : [1, 1]| pi(a, 6) : [1,0.5] ^ -piia,b) : [1,1]. 

r is triggered by 7 since all the event-condition atoms in r are vaUd in 7. More precisely, 
Pi{a, b) : [1, 0.5] is vaUd since pi (a, b) : [1, 0.75] S 7 and 0.5 < 0.75 whereas +P2{a, b) : 
[1, 0.75] is valid since it belongs to 7. On the other hand, s is not triggered by 7 since 
1 > 0.75. O 



4.2 Blocked rule instances 

Suppose that, given an ri-interpretation, more than one rule is fireable. It could happen that 
the actions (i.e., the updates) to be executed are conflicting. This happens when some active 
rules add a certain atom and some others remove it. The concept of conflicting updates can 
be formally defined as follows. 
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Definition 28 {Annotated conflicting update atoms) 

Let Ui = aiD : [i, fii] and U2 — a2-D' : [i, IJ.2] be two annotated update atoms. Ui and U2 
are conflicting if there exists a substitution a such that {D)a = {D')a and ai G {+, — }, 
i — 1,2, ai ^ a2- D 

Note that two update atoms are conflicting if they require the insertion and the deletion 
of the same information, independently from the associated annotations. 

An ri-interpretation is consistent if it does not contain any pair of conflicting updates. 
For what we will do in the following, it is important not only to identify conflicting updates 
but also the rule instances (also called rule grounding) generating them. To this purpose, 
we introduce the concept of conflict. 

Deflnition 29 (Conflicts) 

A pair (r, 6), where r is a rule and is a ground substitution for r is called a rule grounding. 

Let P be a set of AmAU-Datalog active rules and / an ri-interpretation for P. Then 
COnflictS(P, /) is a set of maximal tuples of the form {i,A,\ns, del) such that i is a database 
identifier, A is a ground atom, and ins and del are sets of active rule groundings. For each 
such triple the following conditions must hold: 

1 . there exists r,r' eP 

r = Ai : [Di,^j,i],. . . ,An[Dn,^J.n] ^ Bi : [Ei,ipi], . . . ,B„i : [Em,-iJJm] 

r' = A[ : [D[,p[],... ,A'„,[Dl^,,fi'^,]^B[ : [E[,^[], . . . , B'^, : K,,^,,] 

where Ah,h = 1, ...,n, A'^, ,h' = 1, n' are either amalgamated update atoms 
or deductive amalgamated literals, Bk,k = 1, ...,m, Bk', k' — 1, .... m' are update 
atoms, and 6, 9' ground substitutions such that 

• \Jhl<h<n, valid(A,, : [Dh,Ph]e,I), 

• Vfc 1 < fc < n', valid(A'fe : [D'f^,n'f^]e',I), 

• 3p,q.l<p<m.l<q<m'.Bp: [Ep, V'p] = +C : [Ep, ^p],B'g : [E'^, V^] = 
-F : [D'g, tP'g] and A = CO = F9'. 

2. For all r, r' and 0, 9', satisfying condition |l] above, (r, 9) G ins and (r', 9') G del. 

A tuple (i, A, ins, del) G COnflicts(P, /) is called a conflict. □ 

To solve conflicts, a parametric conflict resolution policy is introduced. Such a policy 
specifies, for each conflict, which update must prevail. 

Deflnition 30 (Conflict resolution policy) 

Given an AmAU-Datalog extensional database EDB, a set of rules P, an ri-interpretation 
/ and a conflict c, we define se\{EDB,P,I,c) as a total function with range 
{insert, delete}. □ 

The intended meaning of se\{EDB, P, I, {i, A, ins, del)) is to choose whether atom A, 
object of the conflict, should be inserted in or deleted from /, thus effectively choosing 
which of the conflicting update requests should prevail. Note that the selection function 
cannot require the insertion and the deletion of the same atom, since for each ground atom 
only one conflict can exist. 
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Gottlob et al. (Gottlob et ai, 1996) present a number of commonly adopted policies, 
and discuss their advantages and disadvantages. We briefly recall here some of them. The 
principle of inertia states that both the conflicting updates should be discarded, thus leav- 
ing EDB in the same state as before with respect io db: a (in our framework, this can be 
obtained by returning insert if rf6 : a was akeady in EDB, delete otherwise). The source 
priority policy determines which update should prevail according to which database the 
rules requesting such updates come from (in our framework, this can be obtained by using 
the mapping / which establishes the relation between rules and databases of our system). 
The rule priority policy, found in systems such as Ariel (|ianson, 1996|), Postgres (S tone- 



braker et a/., 1990) and Starburst ( Widom and Finkelstein, 1990| ), assumes that each rule 



has a (static or dynamic) priority associated with it; sel returns insert or delete as needed 
to preserve the update requested by the highest-priority rule. Other policies, like voting 
schemes or user queries, are also reasonable, but the final choice is left to the particular 
apphcation. 

Based on the result of the sel policy, we prevent the rule instances in one of the two sets 
of a conflict from firing, by blocking them according to the following definition. Blocked 
rule instances will then be used in the next subsection to specify how active rule computa- 
tion takes place. 

Definition 31 {Blocked rule instances) 

Given an AmAU-Datalog extensional database EDB, a set of rules P, a conflict resolution 
policy sel, and an ri-interpretation /, let 

X = {del I {i, A, , ins, del) e conflicts(P, /) and 
sel(£;i:»B,P,/, (i,yl,ins,del)) = insert} 

Y = {ins I (i,v4, ins,del) e conflicts(P, /) and 

se\{EDB,P,I, {i,A, ins, del)) = delete}. 



We define 



blocked(£Z?B,P,/,sel) = (U.ex^) U (U 



JyeY . 



We block an entire rule instance, rather than a single update, so that the set of updates 
requested by the same rule instance exhibits an atomic behavior: either all the updates 
in the set are executed, or no update at all. This avoids the risk of making the database 
inconsistent due to partially-executed actions. 

Example 13 

Consider the AmAU-Datalog active rules presented in Example |l^ and let / be an ri- 
interpretation such that: +P2{a,b) : [1, 1] G I,pi{a,b) : [1,0.75] G /. 

In this situation, both r and s are triggered by / since all their event-condition atoms 
are valid in / and a conflict C = (l,pi(a, b), {(r, 0)}, {(s, 0)}) arises. If we assume that 
the conflict resolution function privileges deletions, we block the rule instance r, obtaining 
blocked{EDB, P, I, sel) = {r}. O 
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4.3 Computation 

Using the above concepts, given a set of AmAU-Datalog rules P, a set of blocked rule 
instances B, and an ri-interpretation /, we define an immediate consequence operator over 
ri-interpretations F p s (/), similarly to other bottom-up operators defined in the logic pro- 
gramming context. However, differently from them, some rules may not be fired during the 
computation, even if their body is valid, due to the blocked set of rules. 

In performing such a computation, we have to consider not only active rules but also 
deductive rules, since we have to check validity of both the event and the condition part of 
active rules. In particular, the following aspects should be taken into account: 

• conditions should be checked by taking into account the requested updates; 

• the resolution of a condition should not affect the state of the system. 

While the first condition is assured by the considered notion of validity (see Definition p6| ), 
to fulfill the second condition we remove the update part from the rules of the intensional 
databases by using the purification operation defined below. 

Definition 32 (Purification) 

Given the intensional database IDB of an AmAU-Datalog program, we define its purified 
version IDB as the set of rules 

Bi, . . . , B,n — > H. 

such that there exists in IDB a rule 

H ^ Ul, . . . ,Un, Bl, . . . , Bm- n 

It is worth noting that a query is provable in IDBj^ U EDB^ if and only if it is provable 
in IDBj\^ U EDBj^, with the same computed answers. The purification only avoids the 
side effects of the query evaluation. Also notice that we reversed the direction of the arrow 
in order to have a uniform notation with active rules. 

In the sequel, we generically use the term "rules" to refer to both active and purified 
amalgamated rules. 

Definition 33 (Immediate consequence operator) 

Given a set of AmAU-Datalog rules P, a set of blocked rule instances B, and an ri- 
interpretation J, we define Tp^b{I) as UU^ where U is the smallest set satisfying the 
following conditions; 

1. I CU; 

2. If r = Ai : [Di,pi], . . . ,^„[L)„, : Bi : [Si, i/'i], ■ • ■ , B„i : [E„i,i}Jm], r G 
P and is a ground substitution such that 

• ir,0)^B; 

• va\\6{Ak : [Dk,fik]0,I), k = 1, n, then {(Bi : [Si, Vi])^, • ■ ■ , (S„ : 

^UU = {A: [D,fi]\A: [D,fii],...,A : [D,fin] £ U andUifn = fi}. 
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The main difference of the above operator with respect to the traditional immediate 
consequence operator of logic programming is that it may happen that some of the rules 
are not fired even if their body is valid, due to the blocked set of rules. Moreover, such 
operator is monotonic but it is not continuous.]^ Indeed, if we consider an AmAU-Datalog 
program P without update atoms and active rules and we let B — {}, then Tp B coincides 
with Rp. Thus, from Theorem |IJ it follows that Tp p is not continuous. However, the 
following proposition shows that if P is c-annotated, or the lattice is finite, Tp s admits a 
fixpoint, reachable in a finite number of steps. 

Proposition 2 

Let P be an AmAU-Datalog database and B a set of blocked rule instances. If T is finite 
or P is c-annotated, operator Tp s admits a fixpoint IfpiTp^B) — ^p.b T <^ and there 
exists k such that Tp B T = ^ p,b T k. 

Proof 

If T is finite, the number of ri-interpretations is finite. Therefore Tp B is a monotonic 
operator over the finite lattice of ri-interpretations, ordered by C+, where C+ is the usual 
containment between sets with the following exception: if / contains A : [D,^], then 
{A : [D, /Lt']} C+ /, for all ji' < fi. Thus, it is also continuous and the thesis follows. If P 
is c-annotated, it is also acceptable and IfpiTp^s) = ^p.b T ^ follows from a reasoning 
similar to that presented in the proof of Lemma |l} Moreover, since annotations are fixed, 
the number of terms that can be constructed over the base language is finite, and rules are 
range restricted, thus there exists k such that Tp B 1 ^ ^p.b 1 k. □ 

In general, the application of the function Fp s to a consistent ri-interpretation does not 



return a consistent ri-interpretation, as shown in ( Bertino et ai, 1998 ). Therefore, even 
under the conditions presented in Proposition ||, we cannot compute the semantics of P as 
the least fixpoint of Fp.s . We must instead appropriately select rules, that is, we must build 
a set of blocked rules B such that the least fixpoint of Tp p is consistent. Thus, instead of 
dealing with ri-interpretations, the notion of bi-structures is introduced, as in (G ottlob et 
ai, 1996), in order to take blocked rules into account during the computation. 

Definition 34 (Bi-structures) 

A bi-structure {B, I) consists of a set B of rule groundings and of an ri-interpretation I. 
We define an order relation on bi-structures as follows: 



{Bj)^{B'j') n 



B C B' or 
B = B' and / C+ /' 



Given ^ and S bi-structures, ^ ^ i3 = {A = B W A -< B). □ 

On this domain, we can define an operator having a fixpoint, that is used to compute the 
semantics of the active part. 

Definition 35 (A operator) 

In Active U-Datalog, a similar operator has been defined which however is continuous ( ^ertino et at, 199^ ). 
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Given a set of AmAU-Datalog rules P, a bi-structure {B, I) and a conflict resolution policy 
sel, we define 



Ap,sel((S,/)) = 



{B,Tp,b{I)) if Tp,b{I) is consistent; 

{B U blocked(/% P, I, sel), r) otherwise. 



where I'^ is the set of the extensional amalgamated atoms contained in /, that is: 

r ^ {A: [D, fj]£l \ pred{A) e W}. □ 



The definition of A we give here differs from the original in (Gottlob et ai, 1996) be- 
cause the set of rules P contains not only rules with updates in the right hand side (properly 
active rules) but also purified rules that allow us to derive intensional knowledge rather than 
new updates. Notice that this extension does not affect the consistency of ri-interpretations, 
since the purified rules can only add amalgamated (11*, E, y)-atoms to the ri-interpretation. 

The intuitive idea of the A operator is that, if no conflict arises, A does not change the 
blocked rule set B, and only the ri-interpretation of the bi-structure is changed by adding 
the immediate consequences of the non blocked rules. On the other hand, as soon as a 
conflict arises, the conflict is solved via the resolution policy sel and all blocked rule in- 
stances are collected. Then, the computation of A is started again from the ri-interpretation 
I'^ with the augmented set of blocked rules. The ri-interpretation represents the set of 
the extensional atoms of the database, and we have to resort to it to be sure that the starting 
point of the new computation does not contain atoms whose validity depends on actions of 
rule instances that are now blocked. 

In order to define a semantics based on the A operator, we must be sure that a fixed point 



of A exists. However, as shown in (Bertino et al., 1998), A in general is not continuous 



due to the non-continuity of Tp B and to function blocked, which in turns depends on 
an arbitrary function sel and is not monotonic. Therefore, we cannot prove that A has a 
fixpoint by using the fixpoint theorem. However, if the program is c-annotated or if the 
lattice is finite, it is possible to prove the following result. 

Proposition 3 

Let P be a set of AmAU-Datalog rules, sel a conflict resolution policy, T> ~ {B,I) a 
bi-structure, / a set of ground amalgamated extensional atoms. Suppose that either P is 
c-annotated or the lattice is finite. The following statements hold: 

1. V< Ap,sel(I?), 

2. Apgg|(P) is a fixpoint of Apsei and there exists k such that 

A^;33,(P)=A^3,,(I?). 

Proof 

1. Let Ap,sei(2?) = {B',!'). If I' is consistent, then B' = B and /' = rp,i3(/) D+ / 
by definition of F; hence {B,I) ^ {B',I'). If instead /' is not consistent, then 
B' = BU b\ocWed(EDB, P, I, sel) 2 B and so we have again {B, I) ^ {B', /'). 

2. By statement 1, for all natural numbers n, we have 

A^^sel(2?)^Ap,sel(A?,^3el(P)). 

Now suppose that the lattice is finite. Under this hypothesis, bi-structures are finite 
and form a complete lattice. Hence, {Apgg|(I?)}igN is a chain in the cpo of the 
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bi-structures. Since such a cpo is finite, every chain consists of a finite number of 
elements. Therefore 

3fc.Vn>fc. A^^33i(P) = A«+i,(P). 

We can conclude that Apgg|(2?) is a fixpoint of Ap sei- If the lattice is not finite but 
P is c-annotated, it follows that: (i) the number of possible sets of blocked instances 
is finite, since annotations are fixed, the number of terms that can be constructed over 
the base language is finite, and rules are range restricted; (ii) due to Proposition ^ 
Tp B admits a fixpoint IpfiTp^B) = Tp.s t = ^p.b T ^i- From fact (i), it follows 
that there exists fca such that for all ft, > fca A^^gg|(2?) = {B,I), A^gg|(2?) = 
{B,I') and /' C+ /. From (ii) and the definition of A, we obtain the thesis. □ 

The next theorem shows that we can find a set of blocked rules B such that the least 
fixpoint of Tp B is a consistent ri-interpretation. 

Theorem 5 

Let P be a set of AmAU-Datalog rules, sel a conflict resolution policy, V = {B,I) a 
bi-structure, / a set of ground amalgamated extensional atoms. Suppose that either P is 
c-annotated or the lattice is finite. Then, there exists k such that Ap (2?) is a fixpoint 
of Ap^sei and if A''p^^^{V) = {B',!'), then /' = IfpiiTp^B'f^ and /' is consistent. 
Moreover, it contains a minimal set of blocked rule groundings. 

Proof 

First we notice that if Ap_sei((-Bi,-fi)) = (-B2, -^2) then -^i^ = /2^, that is the set of ground 
extensional atoms is not modified by A. This follows from the definition of Ap sei and 
from the fact that Fp ^ can add only intensional and update atoms to an ri-interpretation. 
As a consequence, for all natural numbers n, if Apgg|((i3i, /i)) = {Bn+i, In+i) then 
Ji — Jji+i ■ 

Since the ri-interpretation of A only consists of extensional atoms, then = I. 

By Lemma |[ Ap (A) is a fixpoint of Ap gei ■ By definition of A and by the above remark, 
there exists i < k such that Apgg|(P) = {B' , I). Then for all j such that i < j < k, 
we have Apgg|(I?) = (S', Fp^^p, (/)), because B' does not increase. Since Apgg|(I?) = 
{B',r) = (S',F^7^,(/)) is a fixpoint, then (S', F^T^^, (/)) = (B', F^;j^t^(/)). Therefore 
/' = Ifpj(FpB') and by definition of A, the set /' is consistent (otherwise the set of 
blocked rules would be augmented). 

In order to show that the computed set of blocked rules is minimal, suppose, by con- 
tradiction, that the computed set of blocked rule instances - say B - is not minimal. This 
means that there exists a set of rule groundings Ri = {ri, r„} G B and a set of rule 
groundings R2 = {r[, ...,r^}, m < n, i?i n i?2 = 0, such that lfpi{Tp^^B-Ri)uB.2) is 
consistent. Two cases may arise: 

• Suppose that R2 C B. This means that rule groundings in i?i does not lead to any 
conflict. But this not possible, since they have been selected by using the selection 
function. 

UPlif) denotes the least fixpoint of / wliicli is greater than or equal to 
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• Suppose that R2 2 B. This means that by blocking rule groundings in _Ri, rule 
groundings in R2 cannot be generated. Now suppose not to block rule groundings in 
i?i. These rules have been selected by the selection function and therefore they gen- 
erate conflicts. Moreover, their generation does not depend on the generation of rule 
groundings in R2, therefore by blocking rule groundings in i?2, rule groundings in 
i?i are not blocked. This also means that lfpi(Tp^(B-Ri)\jR.2) cannot be consistent. 

In both cases, we arrive to a contradiction, therefore the computed set of blocked rule 
groundings in minimal. □ 



5 Integrating deductive and active semantics 

In this section we show how the deductive and active semantics presented above fit together 
and how the result of a transaction is computed. 

We are interested in modeling as observable property of a transaction the following 
information: the set of answers, the database state, and the result of the transaction itself 
(that is. Commit or Abort). 

Definition 36 (Observables) 

An observable is a triple (Ans, EDB, Res) where Ans is a set of bindings, EDB is an 
extensional database and Res GjCommit, Abort}. The set of observables is Oss. □ 

The semantics presented in Sections ^ and Q does not include the execution of the col- 
lected updates, neither considers the transactional behavior. We now define a function 
which, given an i-interpretation and the current state of the system, returns the next state 
obtained by executing the updates in the i-interpretation. 

Definition 37 (Updates incorporation) 

Given an ri-interpretation / and a AmAU-Datalog extensional database EDB = EDBi U 
... U EDBn, we define 

+ 

Incorpil, EDB) = [jiEDB, V"^ {A : [i,Jl] \ -A : [^,7I] G /})|J 

i 

{A : [t,-p] I +A : [i,-p] e /}. 

where A \™^ _B is defined as in Definition |T8|. ^ \""^ i? is defined as the usual set difference 
with the following exception: if A contains D : [i, fix] and B contains D : [i, fi2], then: 

• if ^1 < /i2, A Y"'^ B does not contain D : [i, /^i]; 

• if ^1 > fi2, A B contains D : [i, fii]. □ 

Informally, update incorporation is based on the following rules. Suppose that an anno- 
tated atom Ai : [i, fix] has to be inserted/deleted and EDBi already contains an annotated 
atom Ai : [i, fi2] - The following cases may arise: 

• ^1 =112'- the insertion of an already present fact is required, then the extensional 
database does not change; 

• /ii > ^2'- since the truth value of /ii is stronger, the fact A : [i, fii] prevails and the 
new extensional database contains A : [«, ni] in place of A : [i, /Z2]; 
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• Hi < ii2'- -A. : [«, /i2] is maintained since the truth value /i2 already includes the truth 
value Hi, in other words the insertion of an already present fact is required; 

• Hi and /i2 non comparable: A : [i, ^2] is replaced by A : [«, U{/ii, /i2}]- 

Now consider deletion: 

• /ii = the new extensional database does not contain the fact A : [i, ^,2]', 

• Hi > 1^2' since the truth value of hi is stronger, the request of deletion prevails and 
the new extensional database does not contain fact A : [i, H2]', 

• Hi < M2- A : [i, H2] is maintained since the truth value hi is not sufficiently strong 
to delete such fact; 

• Hi ™d H2 non comparable: since it is not possible to establish which of the two 
values is the strongest, the extensional database is left unchanged. 

The semantics of an AmAU-Datalog program can now be defined as follows. 

Definition 38 (AtnAUDatalog semantics) 
Given an AmAU-Datalog program P, P = {S,DBi, ...,DBn), a transaction T and a 
conflict resolution policy sel, if P is c-annotated or the lattice is finite, the semantics of a 
transaction T in P is denoted by the function Sem defined as 

Semp,se\{T) = 5,oB.AR.sei(T)({0,i;i^P, Commit)) 

where the function iSioB ARsei (2^) ■ Oss Oss is defined as follows: 
If T is a simple transaction, then 

' (0,e, Abort) ifp = Abort 

/» ,-r^r. -.v if P 7^ Abort 

5,™..se,(r)((a,.,p)) = <j (Ans,,ncorp(/,£), Commit) 

(0, e, Commit) otherwise 
where 

Ans = a o {bj \ {bj,Uj) G Set(T, P)}, whereas o is the concatenation operator 
U = U{^i, I (6„II,) GSet(T,P)} 
(P,/) = AS3e,((0,e)) 

S = ARlirDBpU{^+A:[i,H]\+A:[i,H]eU}U 
{^-A: [i,H] I -A: [i,h] eU}. 
If T is a complex transaction P^; . . . ; P^, (fc > 2), then 

'^IDB.AR.Sel 

(Pi; . . . ■,Tk)iOss) = 5iDB .AR.sel 

(P2; . . . ; Pfc)(5,DB .AR.sel 

where Pi, . . . , Pfc are simple transactions. □ 

To compute the semantics of a simple transaction, first we build the set of answers in the 
marking phase (Definition This step returns a set of bindings for the variables (both 
in V and in V) of the transaction (Ans) and a set of amalgamated updates (P) which are 
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requested but which will not necessarily be executed. Then, we gather rules in order to 
apply the A operator (Definition p5| ). 

Such a set of rules (S) contains the rules in AR and the amalgamated updates requested 
from the deductive part (U), represented as rules with neither event nor condition. The 
updates in U become the initial events to which the active rules in AR have to react. 

To obtain the set of updates to be executed, we apply the A operator starting from 
an empty set of blocked rule instances and from the extensional database as initial ri- 
interpretation. Theorem § assures that a fixpoint of As sei is reached in a finite number of 
steps by computing the approximations A^ gg|((0, e)) and that the ri-interpretation, /, in 
the resulting bi-structure is consistent. Finally, the new state of the database is computed 
by incorporating the updates belonging to / in the current state of the database, following 
Definition |7[ 

The semantics of a complex transaction is simply given by the sequential composition 
of the semantics of its components. The state of the system is updated after each simple 
transaction. Besides, we return a list of sets of answers, one for each transaction composing 
the complex one.|^ 

It is important to note that the proposed semantics generates abort only due to media 
failures. As akeady noted, the answer set Set and the A fixpoint are computed in a finite 
number of steps, hence Semp sei is computed in a finite number of steps. 

Example 14 

Consider Example ^ In order to show how the semantics of AmAU-Datalog programs 
works, consider the transaction T =? pblock{X) : [s,t],tblock{Y, Z)[s,t], executed 
against the amalgam presented in Example ^, whose fixpoint has been presented in Fig- 
ure ^ In order to make clearer the computation, we use a set-based representation of ri- 
interpretations. In order to compute Senip^seiAC^)' suppose that our selection function 
privileges deletions. Now, let S = IDBa U ARa U USet{T, A), where USet{T, A) rep- 
resents the set of rules generated from the updates contained in Set(r, .4), presented in 
Example |ll], i.e. 

USet{T,A) = { ^+over.lv(s3):[l,t],^+over_lv(s3):[2,t],^+overJv(s3):[3,t], 

^+criticaLlv(s3):[l,t],^+criticaUv(s3):[2,t],^+criticaUv(s3):[3,t], 
^+partiaLblock(s3):[l,t],-*+partiaLblock(s3):[2,t],^+partiaLblock(s3):[3,t], 
^+totaLblock(s 1 ,s2): [ 1 ,t] ,^+totaLblock(s 1 ,s2): [2,t] , 
^+total_block(sl,s2):[3,t] } 

In order to compute the active semantics, we have to compute the fixpoint of 

As^sei^ ((0, EDbJ)). We let r = EDBj, and we start by computing Tsfiil"): 

ThjC^") = /i = U { danger_lv(sl):[l,t],dangerJv(s2):[l,±],danger_lv(s3):[l,t], 
danger_lv(sl):[2,±],danger_lv(s2):[2,t],danger_lv(s3):[2,t], 
danger_lv(sl):[3,t],danger_lv(s2):[3,t],danger_lv(s3):[3,t], 
danger.lv(sl):[{l,2},t],danger.lv(sl):[{l,3},t],danger_lv(sl):[{2,3},t], 
dangerJv(s2):[{l,2},t],danger.lv(s2):[{l,3},t],danger_lv(s2):[{2,3},t], 
danger.lv(s3):[{l,2},t],danger.lv(s3):[{l,3},t],danger_lv(s3):[{2,3},t], 
dangerJv(sl):[{l,2,3},t],danger.lv(s2):[{l,2,3},t],dangerJv(s3):[{l,2,3},t], 

We i- fcall that in Activs U-Datalog. only the answers of the lasf simple transacfion are. rstiime.fl {p erdno et al, 
19981 
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tblock(sl,s2):[s,t], 

+ovcrJv(s3): [ 1 ,t] ,+over_lv(s3): [2,t] ,+over Jv(s3): [3,t], 
+criticaLlv(s3) : [ 1 ,t] ,+criticaLlv(s3) : [2, t] ,+criticaUv(s3) : [3 ,t] , 
+partiaLblock(s3):[l,t],+partial_block(s3):[2,t],+partial_block(s3):[3,t], 
+totaLblock(s 1 ,s2): [ 1 ,t] ,+totaLblock(s 1 ,s2): [2,t],+total_block(s 1 ,s2): [3,t] } 

Since I\ is consistent, we let As^sej^ ((0, EDBji)) = ({}, Ji). The computation con- 
tinues by computing Fh 0(Ji), obtaining the following set: 

rH,0(/i) = /2 = /i U { pbIock{s3):[s,t], 

-partial.block(s3):[l,t],-partial.block(s3):[2,t],-partial_block(s3):[3,t] } 

At this step, a conflict has been generated, since there is the request of both insert- 
ing and deleting atoms partialJolock (s3) : [l, t ] , partialJolock (s3) : [2, t] , and 
partialJolock (s3) : [3, t ] . The conflicts related to these updates are the following: 

Ci = {l,partialMock[s2.),{{ri,^)},{{r2,{X <- si, F <- s2, Z <- 1, ^ s3, 
V^t})}) 

where ri is the rule — » +partialJ3lock (s3) : [1, t] and r2 is the rule 
+totalj3lock (X, Y) : [Z,t] , 

partialJalock (W) : [ Z, V] ^-partialJDlock (W) : [Z,V]. 
C2 = {2,partialMock{s^),{{rz,^)},{(r4.,{X <- si, F <- s2, Z <- 2, ^ s3, 
V^t])}) 

where rs is the rule +partialJ3lock (s3) : [2, t] and r4 is the rule 
+totaljDlock (X, Y) : [Z,t] , 

partialJalock (W) : [ Z, V] — »-partial±>lock (W) : [Z,V]. 
C3 = {3,partialJ}lock{s3), {(rs, 0)}, {(re, {X <- si, F <- s2, Z <- 3, ^ s3, 

V^t})}) 

where rs is the rule — > +partialJ3lock (s3) : [3, t] and re is the rule 
+totalJDlock (X, Y) : [Z,t] , 

partialJslock (W) : [ Z, V] — »-partial±>lock (W) : [Z,V]. 

Since we assume that the conflict resolution functions privileges deletions, we set 

B' = blocked(/^H,72,se^^) = {(n, 0), (r.,, 0), (rs, 0)} and we obtain As_^eu(({}' = 
{B' , P). We have now to compute r= {P), obtaining the following set: 

^■E^B'il") = I[=PiJ{ dangerJv(sl):[l,t],dangerJv(s2):[l,_L],dangerJv(s3):[l,t], 
danger_lv(s 1 ) : [2, ±] ,danger_lv(s2) : [2,t] ,danger _lv(s3) : [2, t] , 
danger_lv(s 1): [3,t] ,danger Jv(s2): [3,t] ,danger_lv(s3): [3,t], 
danger_lv(sl):[{l,2},t],dangerJv(sl):[{l,3},t],dangerJv(sl):[{2,3},t], 
danger_lv(s2):[{l,2},t],danger_lv(s2):[{l,3},t],danger.lv(s2):[{2,3},t], 
danger_lv(s3):[{l,2},t],danger_lv(s3):[{l,3},t],danger.lv(s3):[{2,3},t], 
danger_lv(sl):[{l,2,3},t],dangerJv(s2):[{l,2,3},t],danger.lv(s3):[{l,2,3},t], 
tblock(sl,s2):[s,t], 

+over_lv(s3):[l,t],+overJv(s3):[2,t],+overJv(s3):[3,t], 
+criticalJv(s3):[l,t],+criticaUv(s3):[2,t],+criticaUv(s3):[3,t], 
+total.block(s 1 ,s2): [ 1 ,t] ,+total_block(s 1 ,s2): [2,t] ,+total_block(s 1 ,s2): [3,t] 
} 

Since I[ is consistent, we let Ag ^^j^ ((B', P)) = {B' , The computation continues by com- 
puting rs,B' {Ii), obtaining the following set: 

^B,B'{I'i) =I^ = IiU{ pblock(s3):[s,t], 

-partial_block(s3) : [ 1 ,t] ,-partial.block(s3) : [2,t] ,-partial.block(s3): [3,t] 

} 
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Since J2 is consistent, we let A= ^g;^ {{B' , — {B' , 12). It is possible to prove that additional 
iterations do not generate any new constrained atom, therefore Ag <,ei^ (({}' ^DBa)) ~ {B' ,12). 
From this, we obtain 

Semp^seiA {T) = (X ^ s3, y ^ si, Z ^ s3, EDB'j^, Commit) 

where EDB'j^ = incorp(7^, EDBa) and: 

incorp(J2, -E-DB^) = { sensor(sl):[l,t],sensor(s2):[l,_L],sensor(s3):[l,t],overJv(sl)[l,t], 

criticaLlv(sl):[l,t],sensor(sl):[2,_L],sensor(s2):[2,t],sensor(s3):[2,t], 
over_lv(s2) [2,t] ,criticaljv(s2) : [2,t] ,sensor(s 1 ): [3,t] ,sensor(s2) : [3 ,t] , 
sensor(s3) : [3 ,t] ,over_lv(s3) : [ 1 ,t] ,over_lv(s3) : [2,t] ,over_lv(s3) : [3 ,t] , 
criticaLlv(s3):[l,t],criticalJv(s3):[2,t],criticalJv(s3):[3,t], 
totaLblock(s 1 ,s2): [ 1 ,t],totaLblock(s 1 ,s2): [2,t] ,totaLblock(s 1 ,s2): [3,t] 
} 

O 



6 Conclusions and future work 

In this paper, we defined a logical framework for modeling queries, updates, and update 
propagation against a set of heterogeneous knowledge bases. The framework has been 
obtained by extending the amalgamated knowledge base framework proposed in (Subrah- 
manian, 1994) to deal with updates and updates propagation. To this purpose, the local 
databases and the mediator have been modeled as Annotated Active U-Datalog databases. 
In this way, each local source and the mediator are composed of a set of ground facts, a set 
of deductive rules and a set of active rules, whose semantics has been defined according 
to the PARK semantics proposed in ( Gottlob et al, 199^ . A fixpoint semantics for the 



proposed language has also been proposed, extending those presented in (Subrahmanian, 
1994) and in ( [Bertino et al, 1998| ). 



This work can be extended in several ways. A first important question concerns the 
definition and analysis of properties concerning the execution of distributed queries, trans- 
actions and active rules. Another important issue is the extension of AmAU-Datalog with 
negation in deductive rules and the definition of proper semantics. Finally, an additional 
important direction concerns the extension of the proposed language to model not only 
integration but also cooperation among the various sources. To this purpose, we plan to in- 
tegrate the capabilities of the proposed framework with those of Heterogeneous U-Datalog 



( Bertino et al, 200C ), by providing each local sources with the ability to communicate and 
exchange information with other sources. The result would be a framework for integrating 
knowledge bases in a fully static, dynamic, and cooperative way. 
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